… and the web application hosting business cowers in fear. Now, my friends, people are discovering what Google’s REAL differentiated IP is..

Application scaling is a real problem for the managed hosting business unless some software company comes up with a platform/solution that lets them leverage their existing computing infrastructure. This is allegorical to, and is probably as big an opportunity as, SAN and NAS a few years ago … big incumbents like EMC and Network Appliance with totally vertical solutions (Google and Amazon in this case) competing with guys using software and off-the-shelf hardware (the hosting companies licensing the wares of some as-yet-non-existent software company).

As I’ve been saying for a couple of years, the shortcut to building an application scaling environment is to build the framework and make it reasonably custom to the scaling environment (Google’s path) which is an obstacle but also makes it very hard to leave once your app is in. There are a number of companies, such as EngineYard, who are making progress on doing this using Ruby on Rails as a platform starting-point, which is very sensible.

I’m not sure what Fred is blathering on about … this has much less to do with how to finance companies than it does with how to host apps. App hosting costs are usually about 1/15th of the operational burn of any company, so this announcement in itself doesn’t change anything in terms of incubators vs. traditional VCs.
It seems to me like he’s using this announcement to beat the “let’s exploit naive, inexperienced fresh-outta-sk00l coders via an incubator” dead horse. Incubators are a worthy financing strategy, but less likely to have the same success ratio as working with people who actually know what they’re doing.
Most entrepreneurs in my peer group would never in a million years shepherd their idea through an incubator. Of course, many of us remember IdeaLab, and its Canadian imitator, IdeaPark.
Regardless, Google’s announcement has nothing to do with business incubators. The effect this really has on incubators is in making it much easier for them to flip their spin-outs earlier to Google. 🙂

I can say this now, since I no longer work at EQO and have no vested interest in partnering with Cingular, and have been waiting for a long time to do so:

I have never been so professionally insulted, so humbled, and so totally and completely discouraged by any interaction with a telecommunications company, as I have been by Cingular’s misguided, counterproductive, and inane FastPitch program. If you are a software, service, or application developer I would encourage you to boycott this program, and if you are considering a partnership with Cingular (now, comically, marketing itself as AT&T) my advice is: Don’t.

The FastPitch program is ostensibly supposed to provide a vetting mechanism for the hundreds of ideas which cross the paths of wireless carriers every year, and is somehow supposed to encourage developers to bring those ideas into Cingular’s service development organization. It’s an interesting idea, that has been absolutely ruined by inexperienced, arrogant personnel, and should IMHO be the laughing stock of the mobile industry.

Most carriers employ Service Development Managers, Business Deveopment Managers, and Channel Managers to entertain partnerships with 3rd party developers in order to bring new and innovative products and services to their customer base. These people actively pursue and field new ideas from all over the place, and are mandated to come up with new ideas and bring the good ones to market.

Not so with Cingular, it would appear. Instead, they’ve attempted to create a formalized process which subjects potential partners to a “Gong Show” style 3-minute panel pitch, in order to separate the wheat from the chaff of third-party applications in an efficient manner. But the effect is rather the opposite. Here’s Cingular’s boilerplate (and believe me, the whole program is boilerplate) spiel:

The FastPitch session at CTIA is an opportunity for the Cingular Developer Program and Business Development teams to gather preliminary information about ISV applications. These events are not designed to be lengthy go-to-market discussions with prospective partners.

ISVs registered for the Cingular FastPitch sessions at CTIA are asked to bring a 3 minute demonstration and pitch to present to our team. You will have 12-15 minutes total with our group, which will encompass 3 minutes for you to present your application and 9 to 12 minutes of survey about your solution.

This sounds like a compromise to the usual method of business development in Telecom: find an authorized representative, build a rapport, create an internal advocate, and work together to understand each company’s motivations and market drivers, and hopefully end up as partners bringing a new service to market.

But in practice, even the somewhat plausibly workable structure of the boilerplate was corrupted. First, when you arrived for your FastPitch appointment you were given nametags, filled in and signed a form which effectively nullified your rights to ownership of your own intellectual property, and were asked to queue in a lineup of other hapless courtiers. I stood behind one gentleman whose idea had something to do with birdhouses, and in front of a couple from a major software vendor.

When you got to the front of the line, there before you sat four Cingular employees, each in their Mid-20s (I’m guessing they weren’t VPs) who would only tell you their first name and would not, for love nor money, give you their business cards. Instead of pitching all four of these people together, who for all I know were junior sales reps from the local mall, and engaging in a quality 15-minute discussion, you instead pitched each one individually, for three minutes. Todd and I attempted to do this, but our 9-slide PowerPoint and product demo overflowed every time. During our session, just before we were to start in on the third intern, he got up and left, leaving us cooling our heels for three minutes… and we couldn’t help but chuckle at the insanity of the process. A woman surveying the whole scene held a stopwatch and literally yanked the birdhouse guy out of the way to ensure that we advanced to each successive intern in a timely fashion.

The whole process was comical. The interns asked no questions. They could not have possibly discussed our company or services with each other. Instead, they graded us on forms, wrote occasional notes (which they carefully concealed) and generally looked disinterested and weary (apparently they were subjected to these 3-minute pitches all day — accounting for lunch and time slippage, that’s 105 pitches per day for three days).

With that process and volume, I’m not sure who could pass through the filter and make it into Cingular’s developer program, but even when we did it really did little to further our objectives to work with Cingular. There were still no real points-of-contact, no internal advocates, not steps forward to advance the conversation. Instead, we were now being marketed to with the same disdain as Cingular’s victims customers.

Other carriers have indeed taken a more enlightened approach. Vodafone has a team in Walnut Creek that I’ve gotten to know quite well, and their role is to search for new ideas and applications, reaching out to partners where possible. And most ascribe to the traditional method of building personal relationships with companies who have interesting applications.

For Cingular/AT&T, though, I can think of no more appropriate fate than to be out-innovated by competitors and outsmarted by third parties who figure out a way to relegate them to the dumb-pipe providers that they are ultimately destined to become. And for the employees who represented their company so well during our FastPitch settings, I’m reminded of the myriad job postings from 2001 which were subtitled “Telecom workers need not apply.” … these may experience a renaissance during the next great Telecom purge which will inevitably arise.

-Ian.

washingtonpost.com Software Aimed at Blocking VeriSign’s Search Program

By Anick Jesdanun AP Internet Writer Tuesday, September 16, 2003; 4:00 PM

NEW YORK — The developer of software that essentially guides Web surfers sought Tuesday to neutralize a controversial service designed to help users who mistype Internet addresses.

The Internet Software Consortium, the nonprofit organization that develops BIND software for Internet domain name directories, is writing an “urgent patch” for Internet service providers and others who want to block customers from a new Site Finder service from VeriSign Inc.

VeriSign, which keeps the master lists of names ending in “.com” and “.net,” launched Site Finder on Monday to steer users to likely alternatives when they type addresses for which no Web site exists.

Though VeriSign gets unspecified revenues from search engine partners whose technology powers Site Finder, company officials described the service as primarily a navigation tool to help lost Internet users.

Critics, however, say the service eliminates user choice, gives a private company too much control over online commerce and could violate longstanding Internet standards.

VeriSign’s service, which affects only “.com” and “.net” names, also overrode similar services offered by several Internet service providers, including America Online, and through Microsoft Corp.’s Internet Explorer browser.

The BIND patch allows AOL and others to restore control by identifying and then ignoring data from Site Finder, said Paul Vixie, president of the Internet Software Consortium.

When the patched software receives such data, it will instead pass along an “address not found” message.

“We’re making this patch available because our customers are screaming for it,” Vixie said.

Though running the software update is optional, Vixie expects many customers will. The consortium was testing the patch Tuesday and planned to release it by Wednesday.

VeriSign officials did not immediately return calls Tuesday. On Monday, its vice president for naming services, Ben Turner, said service providers were free to configure their systems so customers would bypass Site Finder.

BIND, a free product, is used by most domain name servers at service providers, corporations and other networks. Typically, those servers keep temporary copies of the master directories obtained from VeriSign.

VeriSign estimates that people mistype “.com” and “.net” names some 20 million times daily and cites internal studies showing users prefer navigational help over a generic error message.

Earlier this year, a suburban Washington company called Paxfire Inc. tested a similar service for “.biz” and “.us” names, but the U.S. government and a private oversight board asked Paxfire to suspend it after a few weeks pending a review, Paxfire chairman Mark Lewyn said.

A similar feature exists with “.museum” names. People who type in nonexistent addresses are offered an index of museum sites.

* 2002: The year in technology*

09:00 25 December 02

Will Knight

The entertainment industry upped its attack on the internet file-sharing in 2002 by introducing new and controversial “copy protection” technologies to prevent computer copying of music and movies.

The year began on a sour note when the company behind the Compact Disc standard, Philips, publicly condemned <“>http://www.newscientist.com/news/news.jsp?id=ns99992271> in certain Macintosh computers, causing them to crash and refused to reboot. A piece of sticky tape or a marker pen was then shown to be enough to defeat another protection system <“>http://www.newscientist.com/news/news.jsp?id=ns99992464> file sharing networks and connected computers to disrupt infringement. The plans have caused outrage and prompted some researchers to develop pre-emptive countermeasures <saw technological developments that promise to keep computer systems more secure. In May, the first ever commercial quantum encryption device was unveiled by Swiss company id Quantique. By exploiting the quantum properties of photons to transmit information, quantum cryptography can deliver unbreakable encryption keys.

In October, researchers at the UK’s defence research agency QinetiQ demonstrated the same trick through thin air, firing a stream of quantum bits <.”>http://www.newscientist.com/news/news.jsp?id=ns99993114>. In the same month Austrian researchers demonstrated the first quantum calculation <,”>http://www.newscientist.com/news/news.jsp?id=ns99991893>, made from a single carbon nanotube, was revealed. With a diameter of only 75 nanometres, the instrument can measure the temperature change that occurs when a few molecules react with one another.

The endlessly versatile carbon nanotube was then shown also to have an explosive side <“>http://www.newscientist.com/news/news.jsp?id=ns99992389> of computer storage beyond current limitations.

*Number cruncher*

At the other end of the computing scale, meanwhile, the race to build the world’s most powerful scientific supercomputer gained momentum. In April, Japan’s Earth Simulator at the Marine Science and Technology Center in Kanagawa was crowned as the new supercomputing world champion <“>http://www.newscientist.com/news/news.jsp?id=ns99993080> over the next three years.

2002 also saw the first match between a world chess champion and the world’s leading computer player since another IBM computer, Deep Blue, defeated Gary Kasparov in a controversial match held in 1997.

In October, the current world champion Vladimir Kramnik took on <.”>http://www.newscientist.com/news/news.jsp?id=ns99992947>.

One of the more bizarre and controversial technological breakthroughs of the last year involved harnessing a different kind of non-human intelligence. In May a team at the State University of New York implanted radio-controlled electrodes in rat’s brains to create the world’s first radio controlled automaton <“>http://www.newscientist.com/news/news.jsp?id=ns99992200> to 56.6 million, placing the country behind only the US in terms of internet use. And with a total population of over one billion, China could have an online population of around 257 million by 2005.

The Chinese government also increased efforts to control use of the internet in 2002. In September, the government prevented surfers behind the country’s “Great Firewall” from accessing the search engine Google, which caches many restricted sites. But a reversed version of Google called elgooG <.”>http://www.newscientist.com/news/news.jsp?id=ns99992449>.

While Microsoft claims this will put security first by controlling what software can be run on a computer, critics allege it could be used <4086 https://ianbell.com/2002/12/09/some-execs-scored-big-as-company-values-plunged/ Tue, 10 Dec 2002 00:58:02 +0000 https://ianbell.com/2002/12/09/some-execs-scored-big-as-company-values-plunged/ ———- Forwarded message ———- > Date: Mon, 09 Dec 2002 10:44:23 -0500 > From: Dave Farber > To: ip > Subject: [IP] VERY INTERESTING — Some execs scored big as […]]]> Duh! But LOOK at how much wealth converged on so few people… what was the economic purpose of the bubble?

> ———- Forwarded message ———-
> Date: Mon, 09 Dec 2002 10:44:23 -0500
> From: Dave Farber
> To: ip
> Subject: [IP] VERY INTERESTING — Some execs scored big as company
> values
> plunged
>
> http://www.bayarea.com/mld/bayarea/business/4696887.htm

> Some execs scored big as company values plunged
> By Chris O’Brien and Jack Davis
> Mercury News
>
> Running companies that became almost worthless didn’t stop dozens of
> Silicon
> Valley insiders from pocketing billions of dollars by selling their
> stock
> during the tech boom and bust.
>
> The Mercury News examined the stock sales record of insiders at 40
> companies
> in Silicon Valley that have lost virtually all their value since the
> stock
> market peaked in March 2000. The executives, board members and venture
> capitalists at these companies walked off with $3.41 billion, while
> their
> companies’ total market value plunged 99.8 percent to a mere $229.5
> million
> at the end of September.
>
> It represented a remarkable transfer of wealth from the pockets of
> thousands
> of anonymous investors — from day traders to pension funds — into the
> wallets of executives and directors who turned out to be winners even
> when
> their companies became some of Silicon Valley’s biggest losers.
>
> Coming at a time of public discontent with corporate ethics, the
> disconnect
> between the performance of these companies and the executives’
> fantastic
> rewards is symptomatic of the problems that have ignited calls to
> reform
> executive compensation and corporate governance.
>
> “The people who bought the stock they sold are the victims here,”
> said
> Charles Elson, director of the Center for Corporate Governance at the
> University of Delaware. “This money was taken from investors who
> didn’t
> have the same information as these insiders and lost their money.”
>
> The Mercury News compiled a list of local companies whose stock price
> dropped at least 99.5 percent from March 2000, when the Nasdaq peaked,
> to
> Sept. 30, 2002. Those companies were then ranked by the amount of
> stock sold
> by insiders — roughly 300 — since the beginning of 1997.
>
> This means the list leaves off some spectacular flameouts where
> executives
> weren’t shy about selling stock. For instance, JDS Uniphase missed the
> cut,
> with a 97.1 percent drop, even though executives sold $1.17 billion in
> stock
> between May 1997 and November 2002, even as the optical components
> company
> was firing two-thirds of its employees. Also absent is software company
> Ariba, whose stock dropped 98.7 percent and where insiders sold $1.26
> billion between October 1999 and November 2002.
>
> The survey also excludes some of the valley’s household names. Not
> included
> are John Chambers, who between August 1997 and February 2000 sold
> $296.2
> million in Cisco stock; Larry Ellison, who in January 2001 sold $894.8
> million in Oracle stock; and Scott McNealy, who from May 1997 to July
> 2002
> sold $107.9 million in Sun Microsystems stock. These corporate giants
> generally are older and remain strong competitors even as their stock
> prices
> have tanked.
>
> Supposed good bets
>
> The 40 companies on the Mercury News list are primarily software,
> hardware
> and telecommunications companies — the infrastructure providers that
> were
> supposed to be good bets rather than flighty dot-coms.
>
> These companies are a seriously wounded bunch. While not true of every
> company, as a group, they have a variety of problems. Most had major
> restructurings that led to mass firings. Fifteen went bankrupt.
> Several more
> are running out of cash.
>
> Almost half the companies face lawsuits from angry shareholders. Five
> of the
> Top 15 companies had to restate earnings, some from periods when
> insiders
> were selling stock. And a handful of the companies have been cited in
> investigations by Congress and the Securities and Exchange Commission
> into
> investment banks accused of manipulating IPOs.
>
> Though option grants usually get the most attention, much of the stock
> sold
> by insiders at these companies were shares they gained from being
> founders
> or early-stage venture investors prior to IPOs. Once their standard
> 180-day
> lock-up periods ended, many of these insiders began selling their
> stock like
> there was no tomorrow.
>
> For some of their companies, there isn’t much of a tomorrow:
>
> € John Little, founder and CEO of Portal Software, sold $127.5 million
> of
> stock in Portal, which is on the verge of being delisted by Nasdaq.
> Portal,
> which sells billing software, topped the Mercury News list with
> insiders
> selling $704 million in stock — more than its total revenue since the
> May
> 1999 IPO.
>
> € David Peterschmidt, CEO of Inktomi, sold $90.5 million of stock at
> the No.
> 2 company on the list. Inktomi, once a promising Internet search engine
> company, in November sold off a major division to raise cash it needs
> to
> survive.
>
> € K.B. Chandrasekhar, founder and former CEO of the former Exodus
> Communications, cashed out $135.1 million in stock at the Web hosting
> company before it went bankrupt. Chandrasekhar is now founder and CEO
> of
> Jamcracker. Exodus was bought out of bankruptcy by Cable & Wireless,
> which
> recently announced more layoffs at the hosting division.
>
> € Dennis Barsema, former CEO of Redback Networks, sold $138.4 million
> in
> stock before he left in July 2000 after 2 1/2 years at the helm.
> Barsema
> later became CEO at Onetta, another networking start-up. He donated $20
> million in stock to his alma mater, Northern Illinois University.
> Meanwhile,
> Redback announced another round of layoffs Nov. 14 and says it may
> have to
> raise more financing to stay afloat.
>
> € Jerry Shaw-Yau Chang, former CEO of Clarent, sold a measly $16.5
> million,
> though insiders at his telecom company dumped $355.8 million. Mired in
> accounting irregularities, the company has restated financial
> statements for
> 2000 and part of 2001, and been unable to report earnings for most of
> 2002.
>
> € Thomas Jermoluk, former CEO of At Home, sold $50.3 million before the
> cable broadband giant filed for bankruptcy. The company, known as
> Excite@Home, once boasted a market value of $13 billion before
> vaporizing
> following squabbles with its main shareholder and partner, AT&T.
> Jermoluk is
> now a venture partner at Kleiner Perkins Caufield & Byers.
>
> Executives at every company contacted either did not return phone
> calls or
> declined to comment, in many cases citing pending litigation. The one
> exception was Frederick D. Lawrence, former CEO of Adaptive Broadband,
> who
> agreed — after speaking with his lawyer — to discuss executive
> compensation though not the specifics of his company.
>
> He pointed out that executive pay plans are publicly available and
> that most
> investors never bother to read them. And when insiders sell stock,
> they must
> also publicly disclose the sales in filings to the SEC.
>
> “People really work hard in these industries,” Lawrence said. “They
> spend
> hours away from friends and family. Although that’s not an excuse for
> any
> poor behavior.”
>
> No surprise
>
> However, Nell Minow, editor of the Corporate Library, a research
> center that
> focuses on corporate governance, said the heavy insider stock sales
> are no
> surprise. Minow is a leading critic of allowing insiders to sell their
> stock
> because it creates the temptation to push the envelope on things like
> accounting.
>
> “They sell the stock and then they restate the earnings,” Minow said.
> “That brings it one step closer to being a Ponzi scheme.”
>
> The increasing use of stock and options to compensate executives over
> the
> past decade grew out of a broader shareholder value movement. The idea
> was
> to align the interests of executives with the stockholders who, in
> theory,
> are more important than employees or managers.
>
> But the practice has come under fire from critics who say stock grants
> have
> forced executives to become too focused on short-term results and doing
> whatever it takes to boost the stock price. That in turn can lead to
> everything from laying off employees after a bad quarter to feeling
> pressure
> to bend or break accounting rules to make the numbers.
>
> “Their decisions are distorted,” said Neelam Jain, assistant
> professor at
> Jones Graduate School of Management at Rice University. “What the
> managers
> are trying to do is maximize their own profits and not the firm’s
> profits.”
>
> Graef Crystal, a leading compensation expert in Las Vegas, believes the
> problem has been overblown. He points out that while many executives
> sold
> their stock, many of them could have sold far more, which they elected
> to
> keep and which eventually became worthless.
>
> Did they know?
>
> “The fact that they left huge amounts of money on the table does not
> suggest they knew something was coming,” Crystal said.
>
> But the criticism of these insider stock sales continues to grow. That
> backlash increased in November, when the Conference Board released an
> annual
> survey of 2,841 companies in 14 industries that showed executive pay
> and
> perks continued to rise in 2001 even as the stock market and economy
> slumped.
>
> At the same time executive compensation has exploded, bankruptcies have
> soared and publicly traded companies are facing record numbers of
> shareholder lawsuits. According to the Securities Class Action
> Clearinghouse
> at Stanford Law School, the number of shareholder suits rose from 213
> in
> 2000 to 488 in 2001 — despite a law passed in 1996 by Congress to
> discourage such litigation.
>
> While many companies dismiss such litigation as a nuisance, observers
> say
> many corporate insiders still underestimate the anger of investors who
> lost
> big sums during the boom and bust and are still feeling burned.
>
> “This is not a victimless crime,” said Charlie Cray, director of
> Citizen
> Works’ Campaign for Corporate Reform. “The argument is that they’re
> taking
> risks. But they’re taking risks with other people’s money.
>
> “This is really a question of fairness.”

-Ian.

—– http://www.fortune.com/indexw.jhtml?channel=artcol.jhtml&doc_id 9693

Magna Cum Loud The art of DJing has come a long way. How far? A new school is drawing students from Wall Street and beyond FORTUNE Monday, October 14, 2002 By Daniel Roth

Singer Angie Stone has a nice hit in “Wish I Didn’t Miss You.” The song is danceable, features appropriately vacuous lyrics, and has an infectious groove. But, for Eric Schimmel, “Wish” has a major flaw: Its tempo doesn’t match King of House’s “Billie Jean Club Remix.”

It’s a DJ’s worst nightmare. And Schimmel, 31, is determined to be a DJ. By day, Schimmel’s a vice president in emerging markets for Credit Lyonnais, but at night he’s been spinning at a restaurant in Manhattan. Now’s he’s preparing for the big leagues: a chance to DJ at a club in Ibiza, Spain. He knows these two records played back to back will be a hit with the dancers, but he has to get it right. So on a humid Friday night in August, Schimmel–suit jacket off and tie loosened–stands behind two turntables with his tutor, a 34-year-old giant by the name of DJ Kwest.

As Stone’s song plays, Schimmel puts one finger in the air, flicking it up at each of the snares and down at the bass drum. Finding the beat, he reaches for the mixing board that rests between the spinning records and slowly inches over a lever that should seamlessly stitch the songs. The result is a mess of drums and Michael Jackson lyrics. Kwest, whose real name is Derek Scantlebury, shakes his head and shuts off both turntables. “Listen first,” he says, moving into Schimmel’s spot. “Adjust it to make it match up. Drop it on the high hat.” Kwest restarts the records, spins “Billie Jean” back a few revolutions, scratches the bass beat, and lets go. Stone morphs into King of House. “This is how fluid it could be.”

Over the past few months, Schimmel and a couple hundred like him have walked up the six flights of stairs to the Scratch DJ Academy in Manhattan for such wisdom. The students come from the tech world, retailing, school, or Wall Street to learn from teachers by the names of Mista Sinista, Evil Dee, and Brooklyn Miph. Each student is trying to figure out the same thing: how to turn a party loose.

The Rolling Stones might make billions by milking baby-boomer nostalgia, but for Gen Xers on down, today’s real music idols are DJs. Stars like Paul Oakenfold and the Chemical Brothers spin to arenas of screaming fans. In mid-September, Intel kicked off a multimillion-dollar ad campaign featuring music from Moby and Basement Jaxx. At music giant Sam Ash, DJ equipment sales–now a $500 million business for U.S. retailers–are up 4% from last year while electric guitar sales are flat.

So it’s no surprise that entrepreneurs have figured out there’s money to be made in teaching how to use the equipment. Which is where Scratch comes in. The school is the brainchild of Rob Principe, a 29-year-old former dot-commer who sports a goatee and greets people with a clasp that’s half soul shake, half hug. In 1999, Principe, a jazz lover, went to a party at a club in New York and watched the DJ spin song after song until the entire club seemed to be dancing. Principe was in awe.

“He flipped 1,500 people,” he says. “He turned them upside down. I walked out and said, ‘That moved me. Just like a book or a good movie or a piece of art.’ It was like, Now what?”

The answer came in 2000 when Principe lost his job as the head of sales for an Israeli software company. Using connections from local venture capitalists, he got in touch with Jason “Jam Master Jay” Mizell, the DJ behind seminal rap group Run-DMC, and Reg E. Gaines, author of Bring in Da Noise, Bring in Da Funk, to discuss the idea of a school for DJs. The three tossed around plans, and in February 2002, Scratch opened its doors in a space that houses Pseudo.com. When Principe advertised a free first semester on his website, 1,200 people signed up.

In the offices, covered in dark paint and graffiti, students are run through a six-week, $270 course on the entire process of DJing. The beginner level, or DJ101, comprises everything from how a turntable works to how to market yourself. DJ202 features more complex classes, such as Advanced Beatmaking and Battle DJ: Routines and Analysis.

But at its base, being a DJ comes down to one thing: “You’re responsible for everybody’s good time,” says Jahi Lake. A tall, dreadlocked teacher who DJs as the Sundance Kid, Lake is running Jared Cantor through the basic lesson. A 29-year-old sales executive for search-engine Looksmart, Cantor heard DJs in clubs and watched as his friends installed turntables and mixing boards in their living rooms. He wanted to give it a try.

Lake takes him through step by step: Before putting on a record, a DJ has to know how many beats per minute (BPM) the two songs contain. The closer the songs’ BPM, the easier to mix. And the higher the BPM, the more people dance. Most DJs start slow, then boost the BPM as the night goes on. Lake explained how to plug a turntable into a mixer, how to control a record’s pitch, and how to mark a record for phrases and beats worth scratching. Lake demonstrates, singling out a lyric in rapper Ludacris’s “Area Codes” and scratching it, creating a new bass line. Cantor tries the same, creating a sound similar to a car driving with a flat tire. “See, he makes it look easy, man,” says Cantor.

Class continues another 15 minutes, and by the end, Cantor’s still having trouble scratching. But he is able to blend one record into the next. That might not sound like much, but in a time when turntables have become the new electric guitar, it’s a start.

Scratch DJ Academy 212-625-3881,

———–

To stop the rampant theft of expensive cars, manufacturers in the 1990s began to make ignitions very difficult to hot-wire. This reduced the likelihood that cars would be stolen from parking lots— but apparently contributed to the sudden appearance of a new and more dangerous crime, carjacking. After a vote against management Vivendi Universal announced earlier this year that its electronic shareholder-voting system, which it had adopted to tabulate votes efficiently and securely, had been broken into by hackers. Because the new system eliminated the old paper ballots, recounting the votes—or even independently verifying that the attack had occurred—was impossible. To help merchants verify and protect the identity of their customers, marketing firms and financial institutions have created large computerized databases of personal information: Social Security numbers, credit-card numbers, telephone numbers, home addresses, and the like. With these databases being increasingly interconnected by means of the Internet, they have become irresistible targets for criminals. From 1995 to 2000 the incidence of identity theft tripled. s was often the case, Bruce Schneier was thinking about a really terrible idea. We were driving around the suburban-industrial wasteland south of San Francisco, on our way to a corporate presentation, while Schneier looked for something to eat not purveyed by a chain restaurant. This was important to Schneier, who in addition to being America’s best-known ex-cryptographer is a food writer for an alternative newspaper in Minneapolis, where he lives. Initially he had been sure that in the crazy ethnic salad of Silicon Valley it would be impossible not to find someplace of culinary interest—a Libyan burger stop, a Hmong bagelry, a Szechuan taco stand. But as the rented car swept toward the vast, amoeboid office complex that was our destination, his faith slowly crumbled. Bowing to reality, he parked in front of a nondescript sandwich shop, disappointment evident on his face. Schneier is a slight, busy man with a dark, full, closely cropped beard. Until a few years ago he was best known as a prominent creator of codes and ciphers; his book Applied Cryptography (1993) is a classic in the field. But despite his success he virtually abandoned cryptography in 1999 and co-founded a company named Counterpane Internet Security. Counterpane has spent considerable sums on advanced engineering, but at heart the company is dedicated to bringing one of the oldest forms of policing—the cop on the beat— to the digital realm. Aided by high-tech sensors, human guards at Counterpane patrol computer networks, helping corporations and governments to keep their secrets secret. In a world that is both ever more interconnected and full of malice, this is a task of considerable difficulty and great importance. It is also what Schneier long believed cryptography would do—which brings us back to his terrible idea. “Pornography!” he exclaimed. If the rise of the Internet has shown anything, it is that huge numbers of middle-class, middle-management types like to look at dirty pictures on computer screens. A good way to steal the corporate or government secrets these middle managers are privy to, Schneier said, would be to set up a pornographic Web site. The Web site would be free, but visitors would have to register to download the naughty bits. Registration would involve creating a password—and here Schneier’s deep-set blue eyes widened mischievously. People have trouble with passwords. The idea is to have a random string of letters, numbers, and symbols that is easy to remember. Alas, random strings are by their nature hard to remember, so people use bad but easy-to-remember passwords, such as “hello” and “password.” (A survey last year of 1,200 British office workers found that almost half chose their own name, the name of a pet, or that of a family member as a password; others based their passwords on the names Darth Vader and Homer Simpson.) Moreover, computer users can’t keep different passwords straight, so they use the same bad passwords for all their accounts. Many of his corporate porn surfers, Schneier predicted, would use for the dirty Web site the same password they used at work. Not only that, many users would surf to the porn site on the fast Internet connection at the office. The operators of Schneier’s nefarious site would thus learn that, say, “Joesmith,” who accessed the Web site from Anybusiness.com, used the password “JoeS.” By trying to log on at Anybusiness.com as “Joesmith,” they could learn whether “JoeS” was also the password into Joesmith’s corporate account. Often it would be. “In six months you’d be able to break into Fortune 500 companies and government agencies all over the world,” Schneier said, chewing his nondescript meal. “It would work! It would work—that’s the awful thing.” uring the 1990s Schneier was a field marshal in the disheveled army of computer geeks, mathematicians, civil-liberties activists, and libertarian wackos that—in a series of bitter lawsuits that came to be known as the Crypto Wars—asserted the right of the U.S. citizenry to use the cryptographic equivalent of kryptonite: ciphers so powerful they cannot be broken by any government, no matter how long and hard it tries. Like his fellows, he believed that “strong crypto,” as these ciphers are known, would forever guarantee the privacy and security of information—something that in the Information Age would be vital to people’s lives. “It is insufficient to protect ourselves with laws,” he wrote in Applied Cryptography. “We need to protect ourselves with mathematics.” Schneier’s side won the battle as the nineties came to a close. But by that time he had realized that he was fighting the wrong war. Crypto was not enough to guarantee privacy and security. Failures occurred all the time—which was what Schneier’s terrible idea demonstrated. No matter what kind of technological safeguards an organization uses, its secrets will never be safe while its employees are sending their passwords, however unwittingly, to pornographers—or to anyone else outside the organization. The Parable of the Dirty Web Site illustrates part of what became the thesis of Schneier’s most recent book, Secrets and Lies (2000): The way people think about security, especially security on computer networks, is almost always wrong. All too often planners seek technological cure-alls, when such security measures at best limit risks to acceptable levels. In particular, the consequences of going wrong—and all these systems go wrong sometimes—are rarely considered. For these reasons Schneier believes that most of the security measures envisioned after September 11 will be ineffective, and that some will make Americans less safe. It is now a year since the World Trade Center was destroyed. Legislators, the law-enforcement community, and the Bush Administration are embroiled in an essential debate over the measures necessary to prevent future attacks. To armor-plate the nation’s security they increasingly look to the most powerful technology available: retina, iris, and fingerprint scanners; “smart” driver’s licenses and visas that incorporate anti-counterfeiting chips; digital surveillance of public places with face-recognition software; huge centralized databases that use data-mining routines to sniff out hidden terrorists. Some of these measures have already been mandated by Congress, and others are in the pipeline. State and local agencies around the nation are adopting their own schemes. More mandates and more schemes will surely follow. Schneier is hardly against technology—he’s the sort of person who immediately cases public areas for outlets to recharge the batteries in his laptop, phone, and other electronic prostheses. “But if you think technology can solve your security problems,” he says, “then you don’t understand the problems and you don’t understand the technology.” Indeed, he regards the national push for a high-tech salve for security anxieties as a reprise of his own early and erroneous beliefs about the transforming power of strong crypto. The new technologies have enormous capacities, but their advocates have not realized that the most critical aspect of a security measure is not how well it works but how well it fails. The Crypto Wars f mathematicians from the 1970s were suddenly transported through time to the present, they would be happily surprised by developments such as the proofs to Kepler’s conjecture (proposed in 1611, confirmed in 1998) and to Fermat’s last theorem (1637, 1994). But they would be absolutely astonished by the RSA Conference, the world’s biggest trade show for cryptographers. Sponsored by the cryptography firm RSA Security, the conferences are attended by as many as 10,000 cryptographers, computer scientists, network managers, and digital-security professionals. What would amaze past mathematicians is not just the number of conferences but that they exist at all. Sidebar: Why the Maginot Line Failed “In fact, the Maginot Line, the chain of fortifications on France’s border with Germany, was indicative neither of despair about defeating Germany nor of thought mired in the past….” Cryptology is a specialized branch of mathematics with some computer science thrown in. As recently as the 1970s there were no cryptology courses in university mathematics or computer-science departments; nor were there crypto textbooks, crypto journals, or crypto software. There was no private crypto industry, let alone venture-capitalized crypto start-ups giving away key rings at trade shows (crypto key rings—techno-humor). Cryptography, the practice of cryptology, was the province of a tiny cadre of obsessed amateurs, the National Security Agency, and the NSA’s counterparts abroad. Now it is a multibillion-dollar field with applications in almost every commercial arena. As one of the people who helped to bring this change about, Schneier is always invited to speak at RSA conferences. Every time, the room is too small, and overflow crowds, eager to hear their favorite guru, force the session into a larger venue, which is what happened when I saw him speak at an RSA conference in San Francisco’s Moscone Center last year. There was applause from the hundreds of seated cryptophiles when Schneier mounted the stage, and more applause from the throng standing in the aisles and exits when he apologized for the lack of seating capacity. He was there to talk about the state of computer security, he said. It was as bad as ever, maybe getting worse. In the past security officers were usually terse ex-military types who wore holsters and brush cuts. But as computers have become both attackers’ chief targets and their chief weapons, a new generation of security professionals has emerged, drawn from the ranks of engineering and computer science. Many of the new guys look like people the old guard would have wanted to arrest, and Schneier is no exception. Although he is a co-founder of a successful company, he sometimes wears scuffed black shoes and pants with a wavering press line; he gathers his thinning hair into a straggly ponytail. Ties, for the most part, are not an issue. Schneier’s style marks him as a true nerd—someone who knows the potential, both good and bad, of technology, which in our technocentric era is an asset. Schneier was raised in Brooklyn. He got a B.S. in physics from the University of Rochester in 1985 and an M.S. in computer science from American University two years later. Until 1991 he worked for the Department of Defense, where he did things he won’t discuss. Lots of kids are intrigued by codes and ciphers, but Schneier was surely one of the few to ask his father, a lawyer and a judge, to write secret messages for him to analyze. On his first visit to a voting booth, with his mother, he tried to figure out how she could cheat and vote twice. He didn’t actually want her to vote twice—he just wanted, as he says, to “game the system.” Unsurprisingly, someone so interested in figuring out the secrets of manipulating the system fell in love with the systems for manipulating secrets. Schneier’s childhood years, as it happened, were a good time to become intrigued by cryptography—the best time in history, in fact. In 1976 two researchers at Stanford University invented an entirely new type of encryption, public-key encryption, which abruptly woke up the entire field. Public-key encryption is complicated in detail but simple in outline. All ciphers employ mathematical procedures called algorithms to transform messages from their original form into an unreadable jumble. (Cryptographers work with ciphers and not codes, which are spy-movie-style lists of prearranged substitutes for letters, words, or phrases—”meet at the theater” for “attack at nightfall.”) Most ciphers use secret keys: mathematical values that plug into the algorithm. Breaking a cipher means figuring out the key. In a kind of mathematical sleight of hand, public-key encryption encodes messages with keys that can be published openly and decodes them with different keys that stay secret and are effectively impossible to break using today’s technology. (A more complete explanation of public-key encryption will soon be available on The Atlantic’s Web site, www.theatlantic.com.) The best-known public-key algorithm is the RSA algorithm, whose name comes from the initials of the three mathematicians who invented it. RSA keys are created by manipulating big prime numbers. If the private decoding RSA key is properly chosen, guessing it necessarily involves factoring a very large number into its constituent primes, something for which no mathematician has ever devised an adequate shortcut. Even if demented government agents spent a trillion dollars on custom factoring computers, Schneier has estimated, the sun would likely go nova before they cracked a message enciphered with a public key of sufficient length. Schneier and other technophiles grasped early how important computer networks would become to daily life. They also understood that those networks were dreadfully insecure. Strong crypto, in their view, was an answer of almost magical efficacy. Even federal officials believed that strong crypto would Change Everything Forever—except they thought the change would be for the worse. Strong encryption “jeopardizes the public safety and national security of this country,” Louis Freeh, then the director of the (famously computer-challenged) Federal Bureau of Investigation, told Congress in 1995. “Drug cartels, terrorists, and kidnappers will use telephones and other communications media with impunity knowing that their conversations are immune” from wiretaps. The Crypto Wars erupted in 1991, when Washington attempted to limit the spread of strong crypto. Schneier testified before Congress against restrictions on encryption, campaigned for crypto freedom on the Internet, co-wrote an influential report on the technical snarls awaiting federal plans to control cryptographic protocols, and rallied 75,000 crypto fans to the cause in his free monthly e-mail newsletter, Crypto-Gram. Most important, he wrote Applied Cryptography, the first-ever comprehensive guide to the practice of cryptology. Washington lost the wars in 1999, when an appellate court ruled that restrictions on cryptography were illegal, because crypto algorithms were a form of speech and thus covered by the First Amendment. After the ruling the FBI and the NSA more or less surrendered. In the sudden silence the dazed combatants surveyed the battleground. Crypto had become widely available, and it had indeed fallen into unsavory hands. But the results were different from what either side had expected. As the crypto aficionados had envisioned, software companies inserted crypto into their products. On the “Tools” menu in Microsoft Outlook, for example, “encrypt” is an option. And encryption became big business, as part of the infrastructure for e-commerce—it is the little padlock that appears in the corner of Net surfers’ browsers when they buy books at Amazon.com, signifying that credit-card numbers are being enciphered. But encryption is rarely used by the citizenry it was supposed to protect and empower. Cryptophiles, Schneier among them, had been so enraptured by the possibilities of uncrackable ciphers that they forgot they were living in a world in which people can’t program VCRs. Inescapably, an encrypted message is harder to send than an unencrypted one, if only because of the effort involved in using all the extra software. So few people use encryption software that most companies have stopped selling it to individuals. Sidebar: The Worm in the Machine “Buffer overflows (sometimes called stack smashing) are the most common form of security vulnerability in the last ten years….” Among the few who do use crypto are human-rights activists living under dictatorships. But, just as the FBI feared, terrorists, child pornographers, and the Mafia use it too. Yet crypto has not protected any of them. As an example, Schneier points to the case of Nicodemo Scarfo, who the FBI believed was being groomed to take over a gambling operation in New Jersey. Agents surreptitiously searched his office in 1999 and discovered that he was that rarity, a gangster nerd. On his computer was the long-awaited nightmare for law enforcement: a crucial document scrambled by strong encryption software. Rather than sit by, the FBI installed a “keystroke logger” on Scarfo’s machine. The logger recorded the decrypting key— or, more precisely, the passphrase Scarfo used to generate that key— as he typed it in, and gained access to his incriminating files. Scarfo pleaded guilty to charges of running an illegal gambling business on February 28 of this year. Schneier was not surprised by this demonstration of the impotence of cryptography. Just after the Crypto Wars ended, he had begun writing a follow-up to Applied Cryptography. But this time Schneier, a fluent writer, was blocked—he couldn’t make himself extol strong crypto as a security panacea. As Schneier put it in Secrets and Lies, the very different book he eventually did write, he had been portraying cryptography—in his speeches, in his congressional testimony, in Applied Cryptography—as “a kind of magic security dust that [people] could sprinkle over their software and make it secure.” It was not. Nothing could be. Humiliatingly, Schneier discovered that, as a friend wrote him, “the world was full of bad security systems designed by people who read Applied Cryptography.” In retrospect he says, “Crypto solved the wrong problem.” Ciphers scramble messages and documents, preventing them from being read while, say, they are transmitted on the Internet. But the strongest crypto is gossamer protection if malevolent people have access to the computers on the other end. Encrypting transactions on the Internet, the Purdue computer scientist Eugene Spafford has remarked, “is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.” To effectively seize control of Scarfo’s computer, FBI agents had to break into his office and physically alter his machine. Such black-bag jobs are ever less necessary, because the rise of networks and the Internet means that computers can be controlled remotely, without their operators’ knowledge. Huge computer databases may be useful, but they also become tempting targets for criminals and terrorists. So do home computers, even if they are connected only intermittently to the Web. Hackers look for vulnerable machines, using software that scans thousands of Net connections at once. This vulnerability, Schneier came to think, is the real security issue. With this realization he closed Counterpane Systems, his five-person crypto-consulting company in Chicago, in 1999. He revamped it and reopened immediately in Silicon Valley with a new name, Counterpane Internet Security, and a new idea—one that relied on old-fashioned methods. Counterpane would still keep data secret. But the lessons of the Crypto Wars had given Schneier a different vision of how to do that—a vision that has considerable relevance for a nation attempting to prevent terrorist crimes. here Schneier had sought one overarching technical fix, hard experience had taught him the quest was illusory. Indeed, yielding to the American penchant for all-in-one high-tech solutions can make us less safe—especially when it leads to enormous databases full of confidential information. Secrecy is important, of course, but it is also a trap. The more secrets necessary to a security system, the more vulnerable it becomes. To forestall attacks, security systems need to be small-scale, redundant, and compartmentalized. Rather than large, sweeping programs, they should be carefully crafted mosaics, each piece aimed at a specific weakness. The federal government and the airlines are spending millions of dollars, Schneier points out, on systems that screen every passenger to keep knives and weapons out of planes. But what matters most is keeping dangerous passengers out of airline cockpits, which can be accomplished by reinforcing the door. Similarly, it is seldom necessary to gather large amounts of additional information, because in modern societies people leave wide audit trails. The problem is sifting through the already existing mountain of data. Calls for heavy monitoring and record-keeping are thus usually a mistake. (“Broad surveillance is a mark of bad security,” Schneier wrote in a recent Crypto-Gram.) To halt attacks once they start, security measures must avoid being subject to single points of failure. Computer networks are particularly vulnerable: once hackers bypass the firewall, the whole system is often open for exploitation. Because every security measure in every system can be broken or gotten around, failure must be incorporated into the design. No single failure should compromise the normal functioning of the entire system or, worse, add to the gravity of the initial breach. Finally, and most important, decisions need to be made by people at close range—and the responsibility needs to be given explicitly to people, not computers. Unfortunately, there is little evidence that these principles are playing any role in the debate in the Administration, Congress, and the media about how to protect the nation. Indeed, in the argument over policy and principle almost no one seems to be paying attention to the practicalities of security—a lapse that Schneier, like other security professionals, finds as incomprehensible as it is dangerous. Stealing Your Thumb couple of months after September 11, I flew from Seattle to Los Angeles to meet Schneier. As I was checking in at Sea-Tac Airport, someone ran through the metal detector and disappeared onto the little subway that runs among the terminals. Although the authorities quickly identified the miscreant, a concession stand worker, they still had to empty all the terminals and re-screen everyone in the airport, including passengers who had already boarded planes. Masses of unhappy passengers stretched back hundreds of feet from the checkpoints. Planes by the dozen sat waiting at the gates. I called Schneier on a cell phone to report my delay. I had to shout over the noise of all the other people on their cell phones making similar calls. “What a mess,” Schneier said. “The problem with airport security, you know, is that it fails badly.” For a moment I couldn’t make sense of this gnomic utterance. Then I realized he meant that when something goes wrong with security, the system should recover well. In Seattle a single slip-up shut down the entire airport, which delayed flights across the nation. Sea-Tac, Schneier told me on the phone, had no adequate way to contain the damage from a breakdown—such as a button installed near the x-ray machines to stop the subway, so that idiots who bolt from checkpoints cannot disappear into another terminal. The shutdown would inconvenience subway riders, but not as much as being forced to go through security again after a wait of several hours. An even better idea would be to place the x-ray machines at the departure gates, as some are in Europe, in order to scan each group of passengers closely and minimize inconvenience to the whole airport if a risk is detected—or if a machine or a guard fails. Schneier was in Los Angeles for two reasons. He was to speak to ICANN, the Internet Corporation for Assigned Names and Numbers, which controls the “domain name system” of Internet addresses. It is Schneier’s belief that attacks on the address database are the best means of taking down the Internet. He also wanted to review Ginza Sushi-Ko, perhaps the nation’s most exclusive restaurant, for the food column he writes with his wife, Karen Cooper. Minutes after my delayed arrival Schneier had with characteristic celerity packed himself and me into a taxi. The restaurant was in a shopping mall in Beverly Hills that was disguised to look like a collection of nineteenth-century Italian villas. By the time Schneier strode into the tiny lobby, he had picked up the thread of our airport discussion. Failing badly, he told me, was something he had been forced to spend time thinking about. In his technophilic exuberance he had been seduced by the promise of public-key encryption. But ultimately Schneier observed that even strong crypto fails badly. When something bypasses it, as the keystroke logger did with Nicodemo Scarfo’s encryption, it provides no protection at all. The moral, Schneier came to believe, is that security measures are characterized less by their manner of success than by their manner of failure. All security systems eventually miscarry. But when this happens to the good ones, they stretch and sag before breaking, each component failure leaving the whole as unaffected as possible. Engineers call such failure-tolerant systems “ductile.” One way to capture much of what Schneier told me is to say that he believes that when possible, security schemes should be designed to maximize ductility, whereas they often maximize strength. Since September 11 the government has been calling for a new security infrastructure—one that employs advanced technology to protect the citizenry and track down malefactors. Already the USA PATRIOT Act, which Congress passed in October, mandates the establishment of a “cross-agency, cross-platform electronic system … to confirm the identity” of visa applicants, along with a “highly secure network” for financial-crime data and “secure information sharing systems” to link other, previously separate databases. Pending legislation demands that the Attorney General employ “technology including, but not limited to, electronic fingerprinting, face recognition, and retinal scan technology.” The proposed Department of Homeland Security is intended to oversee a “national research and development enterprise for homeland security comparable in emphasis and scope to that which has supported the national security community for more than fifty years”—a domestic version of the high-tech R&D juggernaut that produced stealth bombers, smart weapons, and anti-missile defense. Iris, retina, and fingerprint scanners; hand-geometry assayers; remote video-network surveillance; face-recognition software; smart cards with custom identification chips; decompressive baggage checkers that vacuum-extract minute chemical samples from inside suitcases; tiny radio implants beneath the skin that continually broadcast people’s identification codes; pulsed fast-neutron analysis of shipping containers (“so precise,” according to one manufacturer, “it can determine within inches the location of the concealed target”); a vast national network of interconnected databases—the list goes on and on. In the first five months after the terrorist attacks the Pentagon liaison office that works with technology companies received more than 12,000 proposals for high-tech security measures. Credit-card companies expertly manage credit risks with advanced information-sorting algorithms, Larry Ellison, the head of Oracle, the world’s biggest database firm, told The New York Times in April; “We should be managing security risks in exactly the same way.” To “win the war on terrorism,” a former deputy undersecretary of commerce, David J. Rothkopf, explained in the May/June issue of Foreign Policy, the nation will need “regiments of geeks”—”pocket-protector brigades” who “will provide the software, systems, and analytical resources” to “close the gaps Mohammed Atta and his associates revealed.” Such ideas have provoked the ire of civil-liberties groups, which fear that governments, corporations, and the police will misuse the new technology. Schneier’s concerns are more basic. In his view, these measures can be useful, but their large-scale application will have little effect against terrorism. Worse, their use may make Americans less safe, because many of these tools fail badly— they’re “brittle,” in engineering jargon. Meanwhile, simple, effective, ductile measures are being overlooked or even rejected. he distinction between ductile and brittle security dates back, Schneier has argued, to the nineteenth-century linguist and cryptographer Auguste Kerckhoffs, who set down what is now known as Kerckhoffs’s principle. In good crypto systems, Kerckhoffs wrote, “the system should not depend on secrecy, and it should be able to fall into the enemy’s hands without disadvantage.” In other words, it should permit people to keep messages secret even if outsiders find out exactly how the encryption algorithm works. At first blush this idea seems ludicrous. But contemporary cryptography follows Kerckhoffs’s principle closely. The algorithms— the scrambling methods—are openly revealed; the only secret is the key. Indeed, Schneier says, Kerckhoffs’s principle applies beyond codes and ciphers to security systems in general: every secret creates a potential failure point. Secrecy, in other words, is a prime cause of brittleness—and therefore something likely to make a system prone to catastrophic collapse. Conversely, openness provides ductility. From this can be drawn several corollaries. One is that plans to add new layers of secrecy to security systems should automatically be viewed with suspicion. Another is that security systems that utterly depend on keeping secrets tend not to work very well. Alas, airport security is among these. Procedures for screening passengers, for examining luggage, for allowing people on the tarmac, for entering the cockpit, for running the autopilot software—all must be concealed, and all seriously compromise the system if they become known. As a result, Schneier wrote in the May issue of Crypto-Gram, brittleness “is an inherent property of airline security.” Few of the new airport-security proposals address this problem. Instead, Schneier told me in Los Angeles, they address problems that don’t exist. “The idea that to stop bombings cars have to park three hundred feet away from the terminal, but meanwhile they can drop off passengers right up front like they always have …” He laughed. “The only ideas I’ve heard that make any sense are reinforcing the cockpit door and getting the passengers to fight back.” Both measures test well against Kerckhoffs’s principle: knowing ahead of time that law-abiding passengers may forcefully resist a hijacking en masse, for example, doesn’t help hijackers to fend off their assault. Both are small-scale, compartmentalized measures that make the system more ductile, because no matter how hijackers get aboard, beefed-up doors and resistant passengers will make it harder for them to fly into a nuclear plant. And neither measure has any adverse effect on civil liberties. valuations of a security proposal’s merits, in Schneier’s view, should not be much different from the ordinary cost-benefit calculations we make in daily life. The first question to ask of any new security proposal is, What problem does it solve? The second: What problems does it cause, especially when it fails? Sidebar: Gummi Fingers “Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at biometric fingerprint devices. These are security systems that attempt to identify people based on their fingerprint….” Failure comes in many kinds, but two of the more important are simple failure (the security measure is ineffective) and what might be called subtractive failure (the security measure makes people less secure than before). An example of simple failure is face-recognition technology. In basic terms, face-recognition devices photograph people; break down their features into “facial building elements”; convert these into numbers that, like fingerprints, uniquely identify individuals; and compare the results with those stored in a database. If someone’s facial score matches that of a criminal in the database, the person is detained. Since September 11 face-recognition technology has been placed in an increasing number of public spaces: airports, beaches, nightlife districts. Even visitors to the Statue of Liberty now have their faces scanned. Face-recognition software could be useful. If an airline employee has to type in an identifying number to enter a secure area, for example, it can help to confirm that someone claiming to be that specific employee is indeed that person. But it cannot pick random terrorists out of the mob in an airline terminal. That much-larger-scale task requires comparing many sets of features with the many other sets of features in a database of people on a “watch list.” Identix, of Minnesota, one of the largest face-recognition-technology companies, contends that in independent tests its FaceIt software has a success rate of 99.32 percent—that is, when the software matches a passenger’s face with a face on a list of terrorists, it is mistaken only 0.68 percent of the time. Assume for the moment that this claim is credible; assume, too, that good pictures of suspected terrorists are readily available. About 25 million passengers used Boston’s Logan Airport in 2001. Had face-recognition software been used on 25 million faces, it would have wrongly picked out just 0.68 percent of them—but that would have been enough, given the large number of passengers, to flag as many as 170,000 innocent people as terrorists. With almost 500 false alarms a day, the face-recognition system would quickly become something to ignore. The potential for subtractive failure, different and more troublesome, is raised by recent calls to deploy biometric identification tools across the nation. Biometrics—”the only way to prevent identity fraud,” according to the former senator Alan K. Simpson, of Wyoming—identifies people by precisely measuring their physical characteristics and matching them up against a database. The photographs on driver’s licenses are an early example, but engineers have developed many high-tech alternatives, some of them already mentioned: fingerprint readers, voiceprint recorders, retina or iris scanners, face-recognition devices, hand-geometry assayers, even signature-geometry analyzers, which register pen pressure and writing speed as well as the appearance of a signature. ppealingly, biometrics lets people be their own ID cards—no more pass words to forget! Unhappily, biometric measures are often implemented poorly. This past spring three reporters at c’t, a German digital-culture magazine, tested a face-recognition system, an iris scanner, and nine fingerprint readers. All proved easy to outsmart. Even at the highest security setting, Cognitec’s FaceVACS-Logon could be fooled by showing the sensor a short digital movie of someone known to the system—the president of a company, say—on a laptop screen. To beat Panasonic’s Authenticam iris scanner, the German journalists photographed an authorized user, took the photo and created a detailed, life-size image of his eyes, cut out the pupils, and held the image up before their faces like a mask. The scanner read the iris, detected the presence of a human pupil—and accepted the imposture. Many of the fingerprint readers could be tricked simply by breathing on them, reactivating the last user’s fingerprint. Beating the more sophisticated Identix Bio-Touch fingerprint reader required a trip to a hobby shop. The journalists used graphite powder to dust the latent fingerprint—the kind left on glass—of a previous, authorized user; picked up the image on adhesive tape; and pressed the tape on the reader. The Identix reader, too, was fooled. Not all biometric devices are so poorly put together, of course. But all of them fail badly. Consider the legislation introduced in May by Congressmen Jim Moran and Tom Davis, both of Virginia, that would mandate biometric data chips in driver’s licenses—a sweeping, nationwide data-collection program, in essence. (Senator Dick Durbin, of Illinois, is proposing measures to force states to use a “single identifying designation unique to the individual on all driver’s licenses”; President George W. Bush has already signed into law a requirement for biometric student visas.) Although Moran and Davis tied their proposal to the need for tighter security after last year’s attacks, they also contended that the nation could combat fraud by using smart licenses with bank, credit, and Social Security cards, and for voter registration and airport identification. Maybe so, Schneier says. “But think about screw-ups, because the system will screw up.” Smart cards that store non-biometric data have been routinely cracked in the past, often with inexpensive oscilloscope-like devices that detect and interpret the timing and power fluctuations as the chip operates. An even cheaper method, announced in May by two Cambridge security researchers, requires only a bright light, a standard microscope, and duct tape. Biometric ID cards are equally vulnerable. Indeed, as a recent National Research Council study points out, the extra security supposedly provided by biometric ID cards will raise the economic incentive to counterfeit or steal them, with potentially disastrous consequences to the victims. “Okay, somebody steals your thumbprint,” Schneier says. “Because we’ve centralized all the functions, the thief can tap your credit, open your medical records, start your car, any number of things. Now what do you do? With a credit card, the bank can issue you a new card with a new number. But this is your thumb—you can’t get a new one.” The consequences of identity fraud might be offset if biometric licenses and visas helped to prevent terrorism. Yet smart cards would not have stopped the terrorists who attacked the World Trade Center and the Pentagon. According to the FBI, all the hijackers seem to have been who they said they were; their intentions, not their identities, were the issue. Each entered the country with a valid visa, and each had a photo ID in his real name (some obtained their IDs fraudulently, but the fakes correctly identified them). “What problem is being solved here?” Schneier asks. Good security is built in overlapping, cross-checking layers, to slow down attacks; it reacts limberly to the unexpected. Its most important components are almost always human. “Governments have been relying on intelligent, trained guards for centuries,” Schneier says. “They spot people doing bad things and then use laws to arrest them. All in all, I have to say, it’s not a bad system.” The Human Touch ne of the first times I met with Schneier was at the Cato Institute, a libertarian think tank in Washington, D.C., that had asked him to speak about security. Afterward I wondered how the Cato people had reacted to the speech. Libertarians love cryptography, because they believe that it will let people keep their secrets forever, no matter what a government wants. To them, Schneier was a kind of hero, someone who fought the good fight. As a cryptographer, he had tremendous street cred: he had developed some of the world’s coolest ciphers, including the first rigorous encryption algorithm ever published in a best-selling novel (Cryptonomicon, by Neal Stephenson) and the encryption for the “virtual box tops” on Kellogg’s cereals (children type a code from the box top into a Web site to win prizes), and had been one of the finalists in the competition to write algorithms for the federal government’s new encryption standard, which it adopted last year. Now, in the nicest possible way, he had just told the libertarians the bad news: he still loved cryptography for the intellectual challenge, but it was not all that relevant to protecting the privacy and security of real people. In security terms, he explained, cryptography is classed as a protective counter-measure. No such measure can foil every attack, and all attacks must still be both detected and responded to. This is particularly true for digital security, and Schneier spent most of his speech evoking the staggering insecurity of networked computers. Countless numbers are broken into every year, including machines in people’s homes. Taking over computers is simple with the right tools, because software is so often misconfigured or flawed. In the first five months of this year, for example, Microsoft released five “critical” security patches for Internet Explorer, each intended to rectify lapses in the original code. Computer crime statistics are notoriously sketchy, but the best of a bad lot come from an annual survey of corporations and other institutions by the FBI and the Computer Security Institute, a research and training organization in San Francisco. In the most recent survey, released in April, 90 percent of the respondents had detected one or more computer-security breaches within the previous twelve months—a figure that Schneier calls “almost certainly an underestimate.” His own experience suggests that a typical corporate network suffers a serious security breach four to six times a year—more often if the network is especially large or its operator is politically controversial. Luckily for the victims, this digital mayhem is mostly wreaked not by the master hackers depicted in Hollywood techno-thrillers but by “script kiddies”—youths who know just enough about computers to download and run automated break-in programs. Twenty-four hours a day, seven days a week, script kiddies poke and prod at computer networks, searching for any of the thousands of known security vulnerabilities that administrators have not yet patched. A typical corporate network, Schneier says, is hit by such doorknob-rattling several times an hour. The great majority of these attacks achieve nothing, but eventually any existing security holes will be found and exploited. “It’s very hard to communicate how bad the situation is,” Schneier says, “because it doesn’t correspond to our normal intuition of the world. To a first approximation, bank vaults are secure. Most of them don’t get broken into, because it takes real skill. Computers are the opposite. Most of them get broken into all the time, and it takes practically no skill.” Indeed, as automated cracking software improves, it takes ever less knowledge to mount ever more sophisticated attacks. Given the pervasive insecurity of networked computers, it is striking that nearly every proposal for “homeland security” entails the creation of large national databases. The Moran-Davis proposal, like other biometric schemes, envisions storing smart-card information in one such database; the USA PATRIOT Act effectively creates another; the proposed Department of Homeland Security would “fuse and analyze” information from more than a hundred agencies, and would “merge under one roof” scores or hundreds of previously separate databases. (A representative of the new department told me no one had a real idea of the number. “It’s a lot,” he said.) Better coordination of data could have obvious utility, as was made clear by recent headlines about the failure of the FBI and the CIA to communicate. But carefully linking selected fields of data is different from creating huge national repositories of information about the citizenry, as is being proposed. Larry Ellison, the CEO of Oracle, has dismissed cautions about such databases as whiny cavils that don’t take into account the existence of murderous adversaries. But murderous adversaries are exactly why we should ensure that new security measures actually make American life safer. ny new database must be protected, which automatically entails a new layer of secrecy. As Kerckhoffs’s principle suggests, the new secrecy introduces a new failure point. Government information is now scattered through scores of databases; however inadvertently, it has been compartmentalized—a basic security practice. (Following this practice, tourists divide their money between their wallets and hidden pouches; pickpockets are less likely to steal it all.) Many new proposals would change that. An example is Attorney General John Ashcroft’s plan, announced in June, to fingerprint and photograph foreign visitors “who fall into categories of elevated national security concern” when they enter the United States (“approximately 100,000” will be tracked this way in the first year). The fingerprints and photographs will be compared with those of “known or suspected terrorists” and “wanted criminals.” Alas, no such database of terrorist fingerprints and photographs exists. Most terrorists are outside the country, and thus hard to fingerprint, and latent fingerprints rarely survive bomb blasts. The databases of “wanted criminals” in Ashcroft’s plan seem to be those maintained by the FBI and the Immigration and Naturalization Service. But using them for this purpose would presumably involve merging computer networks in these two agencies with the visa procedure in the State Department—a security nightmare, because no one entity will fully control access to the system. Sidebar: How Insurance Improves Security “Eventually, the insurance industry will subsume the computer security industry….” Equivalents of the big, centralized databases under discussion already exist in the private sector: corporate warehouses of customer information, especially credit-card numbers. The record there is not reassuring. “Millions upon millions of credit-card numbers have been stolen from computer networks,” Schneier says. So many, in fact, that Schneier believes that everyone reading this article “has, in his or her wallet right now, a credit card with a number that has been stolen,” even if no criminal has yet used it. Number thieves, many of whom operate out of the former Soviet Union, sell them in bulk: $1,000 for 5,000 credit-card numbers, or twenty cents apiece. In a way, the sheer volume of theft is fortunate: so many numbers are floating around that the odds are small that any one will be heavily used by bad guys. Large-scale federal databases would undergo similar assaults. The prospect is worrying, given the government’s long-standing reputation for poor information security. Since September 11 at least forty government networks have been publicly cracked by typographically challenged vandals with names like “CriminalS,” “S4t4n1c S0uls,” “cr1m3 0rg4n1z4d0,” and “Discordian Dodgers.” Summing up the problem, a House subcommittee last November awarded federal agencies a collective computer-security grade of F. According to representatives of Oracle, the federal government has been talking with the company about employing its software for the new central databases. But judging from the past, involving the private sector will not greatly improve security. In March, CERT/CC, a computer-security watchdog based at Carnegie Mellon University, warned of thirty-eight vulnerabilities in Oracle’s database software. Meanwhile, a centerpiece of the company’s international advertising is the claim that its software is “unbreakable.” Other software vendors fare no better: CERT/CC issues a constant stream of vulnerability warnings about every major software firm. Schneier, like most security experts I spoke to, does not oppose consolidating and modernizing federal databases per se. To avoid creating vast new opportunities for adversaries, the overhaul should be incremental and small-scale. Even so, it would need to be planned with extreme care—something that shows little sign of happening. ne key to the success of digital revamping will be a little-mentioned, even prosaic feature: training the users not to circumvent secure systems. The federal government already has several computer networks—INTELINK, SIPRNET, and NIPRNET among them— that are fully encrypted, accessible only from secure rooms and buildings, and never connected to the Internet. Yet despite their lack of Net access the secure networks have been infected by e-mail perils such as the Melissa and I Love You viruses, probably because some official checked e-mail on a laptop, got infected, and then plugged the same laptop into the classified network. Because secure networks are unavoidably harder to work with, people are frequently tempted to bypass them—one reason that researchers at weapons labs sometimes transfer their files to insecure but more convenient machines. Sidebar: Remember Pearl Harbor “Surprise, when it happens to a government, is likely to be a complicated, diffuse, bureaucratic thing….” Schneier has long argued that the best way to improve the very bad situation in computer security is to change software licenses. If software is blatantly unsafe, owners have no such recourse, because it is licensed rather than bought, and the licenses forbid litigation. It is unclear whether the licenses can legally do this (courts currently disagree), but as a practical matter it is next to impossible to win a lawsuit against a software firm. If some big software companies lose product-liability suits, Schneier believes, their confreres will begin to take security seriously. Computer networks are difficult to keep secure in part because they have so many functions, each of which must be accounted for. For that reason Schneier and other experts tend to favor narrowly focused security measures—more of them physical than digital—that target a few precisely identified problems. For air travel, along with reinforcing cockpit doors and teaching passengers to fight back, examples include armed uniformed—not plainclothes—guards on select flights; “dead-man” switches that in the event of a pilot’s incapacitation force planes to land by autopilot at the nearest airport; positive bag matching (ensuring that luggage does not get on a plane unless its owner also boards); and separate decompression facilities that detonate any altitude bombs in cargo before takeoff. None of these is completely effective; bag matching, for instance, would not stop suicide bombers. But all are well tested, known to at least impede hijackers, not intrusive to passengers, and unlikely to make planes less secure if they fail. From Atlantic Unbound: Flashbacks: “Pearl Harbor in Retrospect” (May 25, 2001) Atlantic articles from 1948, 1999, and 1991 look back at Pearl Harbor from American and Japanese perspectives. It is impossible to guard all potential targets, because anything and everything can be subject to attack. Palestinian suicide bombers have shown this by murdering at random the occupants of pool halls and hotel meeting rooms. Horrible as these incidents are, they do not risk the lives of thousands of people, as would attacks on critical parts of the national infrastructure: nuclear-power plants, hydroelectric dams, reservoirs, gas and chemical facilities. Here a classic defense is available: tall fences and armed guards. Yet this past spring the Bush Administration cut by 93 percent the funds requested by the Energy Department to bolster security for nuclear weapons and waste; it denied completely the funds requested by the Army Corps of Engineers for guarding 200 reservoirs, dams, and canals, leaving fourteen large public-works projects with no budget for protection. A recommendation by the American Association of Port Authorities that the nation spend a total of $700 million to inspect and control ship cargo (today less than two percent of container traffic is inspected) has so far resulted in grants of just $92 million. In all three proposals most of the money would have been spent on guards and fences. The most important element of any security measure, Schneier argues, is people, not technology—and the people need to be at the scene. Recall the German journalists who fooled the fingerprint readers and iris scanners. None of their tricks would have worked if a reasonably attentive guard had been watching. Conversely, legitimate employees with bandaged fingers or scratched corneas will never make it through security unless a guard at the scene is authorized to overrule the machinery. Giving guards increased authority provides more opportunities for abuse, Schneier says, so the guards must be supervised carefully. But a system with more people who have more responsibility “is more robust,” he observed in the June Crypto-Gram, “and the best way to make things work. (The U.S. Marine Corps understands this principle; it’s the heart of their chain of command rules.)” “The trick is to remember that technology can’t save you,” Schneier says. “We know this in our own lives. We realize that there’s no magic anti-burglary dust we can sprinkle on our cars to prevent them from being stolen. We know that car alarms don’t offer much protection. The Club at best makes burglars steal the car next to you. For real safety we park on nice streets where people notice if somebody smashes the window. Or we park in garages, where somebody watches the car. In both cases people are the essential security element. You always build the system around people.” Looking for Trouble fter meeting Schneier at the Cato Institute, I drove with him to the Washington command post of Counterpane Internet Security. It was the first time in many months that he had visited either of his company’s two operating centers (the other is in Silicon Valley). His absence had been due not to inattentiveness but to his determination to avoid the classic high-tech mistake of involving the alpha geek in day-to-day management. Besides, he lives in Minneapolis, and the company headquarters are in Cupertino, California. (Why Minneapolis? I asked. “My wife lives there,” he said. “It seemed polite.”) With his partner, Tom Rowley, supervising day-to-day operations, Schneier constantly travels in Counterpane’s behalf, explaining how the company manages computer security for hundreds of large and medium-sized companies. It does this mainly by installing human beings. The command post was nondescript even by the bland architectural standards of exurban office complexes. Gaining access was like a pop quiz in security: How would the operations center recognize and admit its boss, who was there only once or twice a year? In this country requests for identification are commonly answered with a driver’s license. A few years ago Schneier devoted considerable effort to persuading the State of Illinois to issue him a driver’s license that showed no picture, signature, or Social Security number. But Schneier’s license serves as identification just as well as a license showing a picture and a signature—which is to say, not all that well. With or without a picture, with or without a biometric chip, licenses cannot be more than state-issued cards with people’s names on them: good enough for social purposes, but never enough to assure identification when it is important. Authentication, Schneier says, involves something a person knows (a password or a PIN, say), has (a physical token, such as a driver’s license or an ID bracelet), or is (biometric data). Security systems should use at least two of these; the Counterpane center employs all three. At the front door Schneier typed in a PIN and waved an iButton on his key chain at a sensor (iButtons, made by Dallas Semiconductor, are programmable chips embedded in stainless-steel discs about the size and shape of a camera battery). We entered a waiting room, where Schneier completed the identification trinity by placing his palm on a hand-geometry reader. Sidebar: Further Reading Brief descriptions of recommended books. Beyond the waiting room, after a purposely long corridor studded with cameras, was a conference room with many electrical outlets, some of which Schneier commandeered for his cell phone, laptop, BlackBerry, and battery packs. One side of the room was a dark glass wall. Schneier flicked a switch, shifting the light and theatrically revealing the scene behind the glass. It was a Luddite nightmare: an auditorium-like space full of desks, each with two computer monitors; all the desks faced a wall of high-resolution screens. One displayed streams of data from the “sentry” machines that Counterpane installs in its clients’ networks. Another displayed images from the video cameras scattered around both this command post and the one in Silicon Valley. On a visual level the gadgetry overwhelmed the people sitting at the desks and watching over the data. Nonetheless, the people were the most important part of the operation. Networks record so much data about their usage that overwhelmed managers frequently turn off most of the logging programs and ignore the others. Among Counterpane’s primary functions is to help companies make sense of the data they already have. “We turn the logs back on and monitor them,” Schneier says. Counterpane researchers developed software to measure activity on client networks, but no software by itself can determine whether an unusual signal is a meaningless blip or an indication of trouble. That was the job of the people at the desks. Highly trained and well paid, these people brought to the task a quality not yet found in any technology: human judgment, which is at the heart of most good security. Human beings do make mistakes, of course. But they can recover from failure in ways that machines and software cannot. The well-trained mind is ductile. It can understand surprises and overcome them. It fails well. When I asked Schneier why Counterpane had such Darth Vaderish command centers, he laughed and said it helped to reassure potential clients that the company had mastered the technology. I asked if clients ever inquired how Counterpane trains the guards and analysts in the command centers. “Not often,” he said, although that training is in fact the center of the whole system. Mixing long stretches of inactivity with short bursts of frenzy, the work rhythm of the Counterpane guards would have been familiar to police officers and firefighters everywhere. As I watched the guards, they were slurping soft drinks, listening to techno-death metal, and waiting for something to go wrong. They were in a protected space, looking out at a dangerous world. Sentries around Neolithic campfires did the same thing. Nothing better has been discovered since. Thinking otherwise, in Schneier’s view, is a really terrible idea.

———–

By Foon – ivegotta [at] tombom.co [dot] uk

http://security.tombom.co.uk/shatter.html

Introduction

This paper presents a new generation of attacks against Microsoft Windows, and possibly other message-based windowing systems. The flaws presented in this paper are, at the time of writing, unfixable. The only reliable solution to these attacks requires functionality that is not present in Windows, as well as efforts on the part of every single Windows software vendor. Microsoft has known about these flaws for some time; when I alerted them to this attack, their response was that they do not class it as a flaw – the email can be found here. This research was sparked by comments made by Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. He mentioned Message Queueing, and immediately regretted it. However, given the quantity of research currently taking place around the world after Mr Allchin’s comments, it is about time the white hat community saw what is actually possible.

This paper is a step-by-step walkthrough of how to exploit one example of this class of flaw. Several other attack methods are discussed, although examples are not given. There are many ways to exploit these flaws, and many variations on each of the stages presented. This is just one example.

Background – the Win32 messaging system

Applications within Windows are entirely controlled through the use of messages. When a key is pressed, a message is sent to the current active window which states that a key was pressed. When Windows decides that an application needs to redraw its client area, it send a message to the application. In fact, when any event takes place that an application needs to know about, it is sent a message. These messages are placed into a queue, and are processed in order by the application.

This is a very reliable mechanism for controlling applications. However, on Win32 the mechanism for controlling these messages is flawed. Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not that window is owned by the sending application, and regardless of whether the target application wants to receive those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious application is indistinguishable from a message sent by the Windows kernel. It is this lack of authentication that we will be exploiting, taking into consideration that these messages can be used to manipulate windows and the processes that own them.

Overview

In this example, I will be exploiting Network Associates VirusScan v4.5.1, running on Windows 2000 Professional. Since the VirusScan Console runs on my desktop as LocalSystem and I am logged on as a guest user, the objective is to trick VirusScan into running my code to elevate my privileges. This is accomplished in several easy stages. 1. Locate a suitable window within VirusScan (an edit box is perfect), and obtain a window handle to it. 2. Remove any length restrictions that may be present on that edit box, so that I can type in an arbitrary quantity of data. 3. Paste in some binary executable code. 4. Force VirusScan to execute my code (as LocalSystem)

This is actually very easy to do. Windows conveniently provides all of the functionality that we will be needing. I have written a small application called Shatter which implements this functionality. You’ll also need a hex editor that is capable of copying binary data to the clipboard (I use UltraEdit), and a debugger (I use WinDbg).

PLEASE NOTE: Some virus scanners are alerting people to the presence of a “Win32/Beavuh” virus within the sploit.bin file in the Shatter zipfile. This is not a virus. The scanner is correct in flagging it – the code in this file is designed to open a command shell and bind it to a network socket. This is a bad thing to do in general, so the scanner is correct in generating an alert. This code is designed to be malicious in terms of its functionality, but the scanner is incorrect when labelling it as a virus.

Windows messages consist of three parts, a message identifier and two parameters. The parameters are used differently depending on what message is sent. This makes our life simpler, since we only have to worry about four things; a window handle to receive the message, the message, and two parameters. Let’s find out how easy this is…

Stage 1: Locating a window

We need to locate an edit control of some kind – something that we can type stuff into. Don’t worry if it’s restricted, we can cure that. Fire up the VirusScan console, and hit the first button – “New Task”. Conveniently, at the top of the dialog, there’s an edit box. That will do perfectly. Now, we need a handle to that control so that we can interact with it. Windows is more than happy to give us a handle to any window we like – we just have to ask it. Fire up Shatter, and position it so that you can still see the VirusScan edit control underneath it. Click on “Get cursor window” – Shatter should add an item in the list box beneath like “102f2 – Get cursor window”. This is because we’ve asked Windows to give us a handle to the window directly underneath the cursor. Move the cursor over the VirusScan edit control and hit Space to trigger Shatter again. Shatter should clear the list box, and tell you the handle for the target window – in my case it’s 30270. So, we can now interact programmatically with a window that is running with higher privileges than we are. Let’s paste in some shellcode.

Stage 2: Removing Restrictions

Now that we have a window handle, we can send any messages we like to that control and it will blindly execute them. First things first – let’s make sure we have enough space for our shellcode.

Within Shatter, type your window handle into the “Handle” box. The message to set the maximum text length of an edit box is EM_SETLIMITTEXT. The first parameter is the new maximum text length, and the second parameter is ignored. Type 4 into the WPARAM box, and 0 into the third. Click on EM_SETLIMITTEXT to send the message, and try to type something into the VirusScan edit box. You shouldn’t be able to type more than 4 characters. Change the 4 to FFFFFFFF and send the message again. Now try typing into the VirusScan edit box; you now have over 4Gb (theoretically) of space within that edit control. Should be enough for even the most wasteful shellcode.

Stage 3: Injecting Shellcode

Next up, let’s try pasting something into the box. Yes, OK, you could just right-click and choose Paste, but for the sake of argument let’s work as if we couldn’t do that. Clear the VirusScan edit box, and fire up Notepad. Type some text into Notepad, and copy it. Back in Shatter, we want to send VirusScan a “Paste clipboard contents” message, which is WM_PASTE. Both parameters for this message should be zero, so set the WPARAM and LPARAM to zero, leaving the handle the same. Click WM_PASTE, and watch your text appear in the VirusScan edit box. Click it again, and it should now be there twice. Fun, huh?

OK, that’s enough playing. Clear the VirusScan edit box again, and fire up your hex editor. Load up sploit.bin, included in the Shatter zipfile. This is the shellcode taken from Jill (Hey, Dark Spyrit!) which fires a remote command shell back to you. It’s hard-coded to send a command shell to the loopback adress on port 123, so now’s probably a good time to fire up a Netcat listener before you forget. Fire up a cmd, hit “nc -lp 123” and forget it. Back to our hex edit. Copy the shellcode to the clipboard, making sure you get all of it (including the FOON at the beginning – we’ll need that in a sec). Back to Shatter, and hit the WM_PASTE button again. You should now see a whole load of nasty-looking characters in the VirusScan edit box; that’s our shellcode, nicely pasted in.

Stage 4: Executing the code

This is the only part of the process that requires any skill. Fire up your debugger, and attach it to the avconsol.exe process (Using WinDbg, that’s F6 to attach, and just choose the process). Next, do a search through memory for the FOON string. The WinDbg command is s -a 00000001 10000000 “FOON” but you might use a different debugger. Note down the memory location that the string appears at; it’ll probably appear a couple of times, don’t ask me why. Any of them will do. On my system, the shellcode appears at 0x00148c28, it shouldn’t be far off if you’re using the same version. Now, kill the debugger, log on as a guest user, and prepare to receive localsystem privs. Follow stages 1 through 3 again, noting that everything still works as a guest user. Don’t forget the Netcat listener to receive the shell.

At this point, you might be thinking that attaching a debugger is a privileged operation. It is. However, much the same as when writing a buffer overflow exploit, you can do that part on any system; all you need is the load address which should then work on any system running the same version of the software. In actual fact, you needn’t actually do this at all. Most applications have their own exception handlers (VirusScan certainly does), so if they generate an access violation, they just deal with it and move on rather than crashing. So, there’s nothing to stop you pasting in a few hundred kilobytes of NOPs and then just iterating through memory until you finally hit the right address and your shellode executes. Not particularly elegant, but it’ll work.

The final message that we’re going to make use of is WM_TIMER. This is a slightly odd and very dangerous message, since it can contain (as the second parameter) the address of a timer callback function. If this second parameter is non-zero, execution will jump to the location it specifies. Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn’t even go into the message queue, so the application doesn’t even have the chance to ignore it. Silly, silly, silly…

So, within Shatter, the handle should be set to the VirusScan edit control containing our shellcode. The first parameter can be anything you like, and the second parameter should be 512 bytes or so above the address we picked out of the debugger earlier (we have 1K of NOP’s in front of the shellcode, so we should land slap bang in the middle of them); on my system that’s 0x148c28 + 0x200 0x148e28. Hit WM_TIMER, and your netcat listener should come alive with a command prompt. A quick WHOAMI will reveal that you have indeed gone from guest to local system. Enjoy.

Alternative techniques

There’s a few other ways of doing what we just managed, utilising the same basic mechanisms but maybe adding a bit more complexity. The EM_GETLINE message tells an edit control to copy its contents to a location specified within the message. How would you like to write arbitrary quantities of data to arbitrary locations in memory? How easy a sploit do you want? We’ve seen how the restrictions can be removed from the length of an edit control; what happens when an application depends on these restrictions? When an application expects 16 bytes of data from a limited-to-16-byte edit box, we can type in a few gigs. Everyone, on three; 1….2….3….Buffer Overflow! Probably stack-based too, since 16 bytes of data is unlikely to come from the heap. Also, when we send WM_TIMER, the parameter we specify as a timer ID gets pushed onto the stack along with a whole load of other crap. It’s not inconceivable that we could find a function which makes use of the 3rd function parameter and none of the others, allowing us to jump directly to a sploit with a single message.

Talking of the heap, that’s another great thing about these exploits. Generally, applications will create dialog boxes on the heap well in advance of any major memory operations taking place; our shellcode address is going to remain pretty static. In my experience it rarely moves more than 20 bytes between instances. Static jump addresses shouldn’t be a problem, but who cares? Send the app an EM_GETLINE message so it writes your shellcode to a location you specify (Hell, overwrite the heap. Who’s gonna care?) and then specify the same address in your WM_TIMER message. A completely NOP-free sploit! What fun!

Fixing the problem

Okay, so this is pretty easy to exploit. How is everyone gonna fix this? I can see two quick and dirty methods which will break a whole lotta functionality, and one very long-winded solution which is never going to be a total solution. Let me explain. 1. Don’t allow people to enumerate windows Nasty. Multiple breakages. Theoretically possible, but I’d hate to see people trying to work around not knowing what windows are on the desktop when they need to. 2. Don’t allow messages to pass between applications with different privileges Means that you couldn’t interact with any window on your desktop that’s not running as you; means that VirusScan at the very least (probably most personal firewalls, too) would need a whole lotta redesigning. 3. Add source info to messages, and depend on applications to decide whether or not to process the messages Would need an extension to the Win32 API, and a whole lotta work for people to use it. Big job, and people would still get it wrong. Look at buffer overflows – they’ve been around for years, and they’re still fairly common.

Basically, there is no simple solution, which is why Microsoft have been keeping this under their hat. Problem is, if I can find this, I can guarantee that other people have as well. They might not tell anyone about it, and the next time they get into your system as a low-priv user, you wouldn’t have a clue how they got LocalSystem out of it. After all, you’re all up to date on patches, aren’t you?

Addendum: Why is this a problem?

When Microsoft saw a copy of this paper, they sent me a response stating clearly that they are aware of these attacks, and they do not class them as vulnerabilities. I believe that this point of view is incorrect. The two reasons that Microsoft stated are that a) They require unrestricted physical access to your computer, or b) they require you to run some kind of malicious code on your machine. I agree completely that in both of these scenarios, 0wning the machine is pretty easy. However, they’ve missed the point. These are techniques that an attacker can use to escalate their privileges. If they can get guest-level access to a machine, these attacks allow you to get localsystem privileges from any user account. Anyone ever heard of a little tool called hk.exe? How about ERunAsX (AKA DebPloit)? How about iishack.dll? All of these tools exploit some flaw that allows you to escalate your privileges AFTER you’ve gained access to the machine. All of these have been recognised as security holes by Microsoft, and patched.

If you have a corporate desktop machine, most commonly those machines will be quite tightly locked down. The user on that machine cannot do very much that they have not been explicitly granted permission to do. If that machine is vulnerable to a shatter attack, that user can gain localsystem privileges and do what they like. Even worse is the case of Terminal Services (or Citrix). Imagine a company providing terminal service functionality to their clients, for whatever purpose. That company is NOT going to give their users any real privileges. Shatter attacks will allow those users to completely take over that server; localsystem privileges are higher than the Administrator, and on a shared server that’s a problem. Oh, and it doesn’t require console access either – I’ve successfully executed these attacks against a Terminal Server a hundred miles away.

The simple fact is that Microsoft KNOWS that they cannot fix these flaws. The mechanism used is the Win32 API, which has been fairly static since Windows NT 3.5 was released in July 1993. Microsoft cannot change it. The only way they could stop these attacks is to prevent applications from running on the desktop with privileges higher than those of the user logged on. Microsoft believe that the desktop is a security boundary, and that any window on it should be classed as untrusted. This is true, but only for Windows, and because of these flaws. Either way, Microsoft break their own rules; there’s numerous windows on a standard desktop that run as localsystem. Use my shatter tool to verify this – there’s a whole load of unnamed windows which might be running as Localsystem, and a few invisible windows (like the DDE server) that definitely are. Security boundary my arse.

Is this just a Win32 problem?

Probably, yes. The biggest mainstream competitor to Windows in terms of windowing systems is X windows. X is based on a similar underlying technique, that of queueing messages that are passed between windows. X, however, has two major differences. Firstly, a window in X is just a window – it’s a blank page on which the application can do what it likes. Unlike Win32 where each control is a window in its own right, a control in X is just a picture. When you click that control, you’re actually clicking the window surrounding it, and the application is responsible for figuring out whether or not there’s actually a control underneath your mouse and responding accordingly. Secondly, and more importantly, X messages are just notifications, not control messages. You can’t tell an X window to do something just by sending it a message. You can’t tell it to paste text. You can’t tell it to change the input limits on a control. You certainly can’t tell it to jump to a location in memory and start executing it. The best you can do is send it the mouse clicks or keyboard strokes that correspond to a paste command – you certainly can’t tell a control to paste in the contents of the clipboard. As such, it’s still theoretically possible for some of these attacks to work against X but in practice it’s highly unlikely. You could flood an application with fake messages and see how it responds; you could send it corrupt messages and see how it responds. Chances are, it would cope just fine, since it’ll choose what to do with the messages and process the flood one at a time.

Anyway kids, have fun, play nicely, be good. And remember – if it ain’t broke, hit it again.

———–

While your juggernaut plugs along at 15% annual growth, you watch in abject horror as Dr. Koop launches some sort of web site which inexplicably blooms to a $2 Billion capitalization overnight — with no revenue. Angry investors jam your voice mail with demands for 100% weekly returns, and inexplicably your cash business is eclipsed by the market capitalization of an Internet Services Provider who lays claim to 30 million internet users — at a time when, arguably, such quantity of ‘net surfers doesn’t even exist. Time for a vacation!

Before your toes even hit the sand, however, you’re yanked back into reality from your Cayman Islands hideaway by Wall St. rumours of a takeover bid from said ISP whose valuation has bubbled to make it one of the largest companies in the world. You find yourself sitting in a room as the tieless, Dockers-clad “visionaries” who run this ISP pick apart your company’s formerly impressive stable of assets as though it were the carcass of some wildebeast. You learn the mantra: “Old Media is Dead; Long Live New Media!”

Rather than fighting the inevitable and angering your investors even further, you decide to play the game and give ’em what they want. You check your retirement clock and remind yourself that it’s been a good run, you’ve assembled a nifty little media conglomerate; and you begin to search for the perfect 46′ sailboat in which to sink the better part of your fortune.

Like a hermit crab, the ISP’s prodigies dump their shell and slide comfortably into yours, expressing no particular interest in making movies (except for some strange production called “You’ve Got Mail”) or quality Lou Pearlmann(tm) productions. Instead, they gleefully continue to ship out hundreds of millions of CD ROMs to every penthouse, cathouse, outhouse, and doghouse in America; citing some fuzzy concept known as “customer acquisition”; and inexplicably writing off the whole thing as “capital expenditure”, so that it doesn’t show up on your company’s rosy EBITDA.

This all raises your eyebrows of course, but what are you to do about it? These, clearly are the methods of the New Economy; so it’s best to just keep quiet and continue picking out the perfect varnish for your schooner. These new kids are running the show.

Deep within the bowels of your huge conglomerate, some of those New Media kids write some software that allows people to share and copy your Old Media products. Rather than trying to sell the software, they give it away — in fact, they give away the source code. Your heart beats wildly out of control and your temples nearly burst. As your fellow old-media cronies happily stomp all over some other music piracy tool called “Napster” you are forced to the sidelines.

Then, one day, the bubble bursts. Advertising sales drop off. There are no more crazy start-up companies who can pay multimillion-dollar “slotting fees” to expose themselves (sometimes literally) to your 30 million (or less) ISP customers. Desperate, the whiz kids decide to explore “creative options” to keep the revenue train rolling. They make deals to exchange advertising with other companies, booking the trades as revenue. They broker ad space for other online companies and book that as revenue, too. Very creative accounting, they tell you.

But as Dr. Koop and Boo and DEN and eVoice and all the rest start to drop like flies the ire of the investment community turns to the Poster Child for all that is On-Line, and eyes the smoldering heap of what once was your company (now a quarter-over-quarter money-loser) suspiciously. “What’s wrong with the fundamentals?” they ask. “Things were looking so promising!” With 9 out of every 10 of your ISP’s business partners dead and buried, any answer you could provide is merely rhetorical.

You turn to the whiz kids who attached this parasite to your company for answers. Peering at you over the plans for their 13-room Chesapeake Bay mansions they offer no solution, save offering their resignation to “pursue other business interests”. As investors begin to lay siege to your voice mail once again you hire more bodyguards and call the suits back in to laboriously establish your restructuring plan.

During a late night session, one of the MBAs comes up with a brilliant idea: Using something called “Good Will” you can essentially shrug your shoulders and shed some of the needless expense from your balance sheet, thus justifying a diminished valuation and setting the stage for positive growth. You ask the MBA how much “Good Will” will be good enough? The MBA says: “All of it.”

So, you do it: you bite the bullet. You take the entire value of your parasite at the time of that once-hallowed merger and you kick it out the door, exonerating yourself from having to answer questions about its profitability (or the absence thereof) for the immediate future. “Good Will” indeed, but the market begins to hammer you into the dirt, and it hurts. You begin to think maybe a 30-footer would be good enough.

Luckily for you, some crazy fools fly 767s into the World Trade Centre and every company gets hammered. With the full-on stoppage in the economy, you take the opportunity to shed some of the cabal of twentysomethings that were installed by the Dockers-wearing set and build a team to restructure some of their now failed operations. Maybe broadband would be a good tie-in for all of your media properties, you surmise.

Things all seem to be hobbling along smoothly until some fools in Texas get caught pinching from the cookie jar, artificially inflating world energy markets, and generally wreaking havoc with the economy. As their own bubble burts, what remains of the investment community starts to scream — echoing their sentiment, every politician in the capitol declares that heads will indeed roll.

As the snowball rolls down the hill, gathering with it telecommunications players, software companies, hardware manufacturers, and any others in its path, you get a distinct tingling feeling. You remember something about writing off marketing campaigns as a capital expenditure. You wonder to yourself: “is that legal?” One of your expensive auditors buys you dinner one evening and reminds you about something to do with your ISP’s “creative accounting.”

It’s too late.

-Ian.

Microsoft to Pump Up R&D, Hire 5,000 Thu Jul 25,11:43 PM ET

By Reed Stevenson

REDMOND, Wash. (Reuters) – Microsoft Corp. said on Thursday it would boost spending on research and development by 20 percent and hire nearly 10 percent more workers this year, buoyed by strong sales of Windows XP ( news – web sites).

Bill Gates ( news – web sites), Microsoft’s chairman and chief software architect, said the software giant would make “aggressive” investments as it prepares to bet the company’s future and its mainstay, the Windows operating system, on Web-based services.

“We are increasing the level of investment for the future,” Gates told a gathering of about 300 analysts and reporters.

Gates said the software giant would increase research spending by 20 percent to $5.3 billion and add 5,000 employees to its workforce of 50,500 for the current year that ends in June 2003.

Thousands of new workers and billions of investment dollars are needed to deploy .NET, Microsoft’s over-arching plan to transform the way information changes hands so that software and services no longer depend on individual computers, Gates said.

Although Microsoft announced that Windows XP, the latest version of its flagship operating system, sold 46 million copies, to become the company’s fastest-selling software ever, the company emphasized repeatedly that it needed to branch out into new areas.

Analysts said Microsoft’s aggressive push into the nascent market for Web-based services was risky, but agreed that the potential rewards were also rich.

“I think it’s a huge bet. If they can get businesses to publish Web services that quickly I think they’ve got a bright future,” said Kim Caughey, an analyst at investment firm Parker/Hunter Inc. who attended the briefing.

Shares in Microsoft lost about 7 percent on Thursday, closing at $42.83, down $3.40, on the Nasdaq in a volatile session.

THE ‘NOW WAVE’

In his presentation, Gates outlined Microsoft’s strategy over the next few years, saying the company would look to migrate customers over to Web-based computing and services in three phases over the next several years.

The first phase — which he called the “Now Wave” — would center around new consumer-oriented software to be released this fall, including a new media-friendly version of Windows XP, the Tablet PC and a beefed-up browser for online service MSN, as well as a new server and updates for .NET infrastructure.

The second wave would be marked by the release of Microsoft’s database SQL Server, code-named Yukon.

“It will be a period of a modest number of releases,” Gates said.

The third and final phase will be marked by the next overhaul of Windows, a project recently code-named Longhorn, that promises to work seamlessly with .NET, Gates said.

Microsoft has long recognized the need to make itself less dependent on cyclical sales of personal computers and move into software for a wide range of devices, including cell phones, hand-held devices and interactive television.

RISKY BETS

Gates reaffirmed these efforts on Thursday, repeatedly emphasizing the long-term approach that Microsoft is taking while reminding analysts that it was willing to make big, risky bets to move its software away from the desktop and into living rooms and people’s pockets.

“Ten years ago I said (interactive TV) was important,” Gates said. “Ten years later I still say it’s important. How much money have we made? A big negative number.”

The meeting with analysts came a week after the No. 1 software company reported results for its June-ended fiscal year showing a 7 percent gain in annual earnings on a 12 percent rise in revenues.

Growth in sales of its latest platform, Windows XP, and software for businesses was offset by write-downs on investments in the cable industry in the fourth-quarter.

———–