As I sat in the United 757 at O’Hare, waiting for the consumation of our delayed take-off, I glanced across the aisle and read the headline in a fellow passsenger’s Chicago Sun-Times: “Gates Promises More Windows Security.” Yes, it was yesterday’s newspaper (28 October 2003). I have no witty or provocative thought for this.

“Longhorn is billed as the biggest operating system upgrade since Windows 95 by Microsoft, whose software runs more than 90 percent of the world’s desktop computers.” Then later in the article, “Microsoft plans to add peer-to-peer networking technologies to let co-workers, for example, send documents to each other that they can jointly view and annotate.” Doesn’t that send shivers of fear up your spin? Really. The full text is at http://www.sun-times.com/output/tech/cst-fin-emain28.html

I just got this week’s issue of “Web Informant” (http://strom.com/awards/347.html) from David Strom. Its title is “Coming to an office near you,” which reports on the Microsoft Office System 2003 launch show.

I read the whole column with interest, and found that certain phrases jumped out at me:

came on over a dozen CDs … many of the bravest souls using this software actually put it into production … the sheer complexity surrounding the number of different versions of Office a … Microsoft is extending the notion of what desktop software is, and with Office 2003 we have applications that can reach out across the Internet for online help, for data via Web services, for document repositories and collaboration via SharePoint, for project management and scheduling information via Project Server, for workflow information via BizTalk, and for automatically filling out forms via InfoPath. Office 2003 is a huge collection of stuff …

Cool. New, exciting features. Things that every one of our users will want. Seamlessly — it doesn’t say that, but what else is there with Microsoft? — connecting your desktop to all sorts of network.

Yes, I exaggerate. But, in the security/feature wars, Microsoft is on the side of our users, not on the side of security. Newer, bigger, better. How well has it been tested? As I’ve mentioned in a blog (here) before, I use Windows software too. But I also got an e-mail from Microsoft today, starting off, “Included in this advisory are updates for five recently discovered vulnerabilities in Microsoft Windows.” So, perhaps I am in a less than hopeful mood.

This is a review I posted to Amazon.com

Ranum’s book is engaging, unsettling, entertaining, and disturbing. Yet, I think it is an accurate assessment of the morass that is “homeland security.” MJR may not make any friends in the FBI, INS, or DHS, but as he turns his keen analytical mind towards security issues broader than an area for which he is world-renowned — computer and network security — he brings clarity to this seemingly unfathomable topic.

Many security practitioners have recognized the “when you don’t know what to do, do something” aspect of some homeland security initiatives. Ranum identifies the agencies and actions that shape homeland security, and makes suggestions for change. Warning: Not everything is fixable, and he makes that clear also. But the beginning of any solution is to first recognize the real problems — the real risks. The next step is to assess what you are already doing. The third is to toss out what is not working, reform what is marginal, and implement what is missing. In this book, Ranum suggests solutions.

The security of the US homeland, and all that it entails, affects Americans, certainly, as well as the whole world. Mr. Ranum is a skilled writer and instructor. Never satisfied to merely lecture, he endeavors to “cause one to learn.” Though he is famous in a highly technical field, the “techie” as well as the “artsy” will be able to read this book, as Ranum makes the subject matter accessible and — although the subject matter is “life and death” — enjoyable.

Recently, Internet Security Systems, Inc. (www.iss.net ) announced “Proventia”, and “All-in-One” security device. (See their press release at ugly URL http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?oid=22929.) It is supposed to do away with the need for firewalls, antivirus, content filtering, anti-spam, and IDS. Their press release quotes their chairman, president, and CEO Tom Noonan as saying, “Today marks the end of an era in stand-alone security technologies. Internet Security Systems’ Proventia products will revolutionize information security, delivering complete, cost-effective protection and simplicity.” What, the end of another era?

Well. First off, I kind of like stand-alone security devices. Single-purpose machines are easier to trust than multi-purpose machines. It’s the old “security/complexity” teeter-totter. (See www.avolio.com/papers/axioms.html.) A few years ago what was the first Internet firewall to have a CERT alert posted against it? Okay, right, it was Firewall-1, but a few months later CERT issued CA-2001-25 reporting “Buffer Overflow in Gauntlet Firewall allows intruders to execute arbitrary code.” This happened — as far as I can tell — when Network Associates started making Gauntlet more complex. The problem as a buffer overflow in a stub program to allow the use of “Cyber Patrol” URL screening. It was not a bug in the Cyber Patrol code. It was in the module added to allow the hooks for Cyber Patrol.

My point is the more complex, the more likely of introducing a bug. In a security device, it will likely be a security-related bug. I don’t like large, multipurpose security devices. They scare me and they should scare you.

The press release goes on to say, “Proventia unifies firewall, virtual private network (VPN), anti-virus, intrusion detection and prevention into one engine, under one management system, to protect at the network and the gateway. In the future, Proventia will add application protection, content filtering and anti-spam functionality to the unified engine.” Yipes. Complex, no? But then it says, “Proventia’s simplified protection for every layer of business infrastructure eliminates the complexity associated with today’s legacy security products.”

So, here’s what it looks like. This is a very complex system doing only loosely-related things. All of these functions will be managed from one management console.

This may provide “maximum security” that is “simple” as well as being “cost effective,” but I’d want to be convinced. What do those terms mean to you? To them? Do you trust them to be able to put all of those things together into one “easy to use” system? If you are taking an “all-in-one” approach, you’d better trust everything under the hood.

I needed a second system on which to build a second web site and e-mail server. I decided on a computer from Wal-Mart. Why? It was $200. I had my choice of one without an operating system and one with Lycoris — a Linux system. Same price. Even though I plan on tossing the O/S, and installing Red Hat, I chose Lycoris. I was intrigued with the idea of an inexpensive system that Mom and Pop could use.

General observations

I’m fairly impressed. The set-up is very easy. Wizard-driven, it asks you for all the usual things. The system automatically detected the network and received an IP address, DNS information, etc. It has a “Windows-like” interface. I write that as if that is the standard. Well, unfortunately, it is. I tried to think like a novice (ignoring the command line prompt that I knew would get me a Linux shell prompt, for example).

The demo explained that there are “virtual desktops” (3 automatically set up). I wondered if the typical home user will know what that means. But , then, it doesn’t hurt not to use them. There they are at the bottom of the screen. The average user will leave them alone. The more inquisitive user will figure out what they are through trial.

I clicked on the Network Browser and got Mozilla. I had to configure it — that may or may not be easy for a new user — and I had Internet access. I was able to browse and play streaming media. But only after I allowed pop-ups from the sites that used pop-ups for playing streaming content. I suspect a beginner would have stumbled on that. Mozilla e-mail also worked without problems.

The Windows system is X11, and it comes with some fairly standard X11 tools you would expect to find on any Linux system. It uses KDE for the window manager. The system comes standard with KWord and KPresenter, as well as Kedit, and FTP client, numerous photo tools, audio players, etc. (I wrote this on the Lycoris system using Kedit and then FTP’ed it over to my Linux system.) For $50 one can purchase a “productivity pack” to add compatibility with Excel, Powerpoint, and Word (Microsoft Office).

Print set-up was easy and also didn’t work. No joy at all with my network-accessible Epson C80. No Linux driver on the system. Yes I can find one and try to get it to work. No, I cannot imagine my grandmother going to a store and asking for a printer that came with a driver for Linux. But, this is a problem on Windows systems, albeit less of one now-a-days. Still, finding Hewlett-Packard, and then selecting the printer model, and having it accept it, only to see that it thought it was a PostScript printer (which resulted in 10 blank pages), leads me to think there are still some usability issues needed to avoid frustration. But then, it was only $200.

Conclusions

All-in-all, I am impressed. My wife tells me that Consumer Reports gave a low rating to this because of it being Linux. All that contributed code, depending on volunteers, etc. You know.

I may see if I can keep this system around a while and install Red Hat in another partition. Is an inexpensive Linux system like Lycoris a viable alternative? It depends. For someone who has used Windows systems on the Internet for years, probably not. For someone new to the Internet, the answer is “possibly,” with this caveat: while there is a lot of software available for Linux systems, there are much fewer solutions that will meet the availability and installability needs of the novice user. Linux desktops for the masses are where Apple systems were a few years back.”Is there a version for the Mac?” But, if the user is only going to surf, do e-mail, and (perhaps) print, this might be a cheap alternative to a Windows desktop.

In one of my first blogs, I discussed how and why I decided on using blosxom. I mentioned I did not yet know how to set up an digest mailing as a friend has. I wanted something that people could subscribe and unsubscribe to, and that would show the headlines of all items posted in the last month.

I do not (yet) know Perl, but I do know how to write shell scripts using grep, sed, awk, etc. I now have a digest script the runs once a month.

A quick follow-up to the original mention, ICANN gave Verisign until Saturday at 6PM PDT to take down their “SiteFinder” “service.” You can (probably) find one of many news items on this at this really long URL.

In the “Arts & Society” section of Sunday’s Baltimore Sun (28Sep2003), Larry Williams reviewed the book Risk: A Practical Guide for Deciding What’s Really Safe and What’s Really Dangerous in the World Around You by David Ropeik and George Gray (ISBN: 0618143726). (For as long as the link is around, check it out here.) It is now on my “must read” list. Sounds facinating and relevant, especially for those of us who deal with assessing risk. (I will review it here when I do read it.)

According to Williams, Robiek “believes we go astray by using common sense to decide what to worry about. The problem is that common sense isn’t based on a rational analysis of the facts but rather subconscious feelings.” Robiek’s suggestion? Statistics.

Some people are still scared to fly, right? But, they drive all over town, or take driving vacations instead of fly somewhere. Everyone reading this knows that you are safer in a plane, than in a car. And the likelihood of death by terrorist attack is … well, I have to read the book. But it’s really small. We talk about these things when we discuss network and computer security and risk.

An interesting-sounding book Williams also reviews is Peter Bernstein’s Against The Gods: The Remarkable Story of Risk (ISBN: 0471295639). Williams writes, “Bernstein explains how mathematicians transformed probability theory from a gamblers’ toy into a powerful instrument for organizing, interpreting and applying information.” I’ve added that to my “shopping cart” as well.

The problem with doing it at Amazon is… Amazon’s web site keeps suggesting other books. So, I see Fooled by Randomness: The Hidden Role of Chance in the Markets and in Life by Nassim Nicholas Taleb. And that leads me to think of RC Sproul’s The Invisible Hand (ISBN: 0849912075). It’s about Providence. But, now I am getting far afield. Or am I?