Martin Pool's blog

The monoculture furphy

Marcus J Ranum debunks the monoculture security idea.

If the Onion had an IT section, this would be in it: Gartner Echoes Concerns in visionary "me too!" report.

...

I think there is a problem, but it's more about monopoly than monoculture. (As Ranum says: well, duh.) Microsoft's massive customer lock-in means that there has been not much real and sustainable competition in many areas of software.

Suppose you like distcc, but you think Linux security sucks. Well, recompile it for OpenBSD or Trusted Solaris or whatever floats your goat. Even if distcc were proprietary you could probably persuade me to port to OpenBSD because the costs of doing so are pretty low.

None of that would be possible if it were locked in to the Microsoft API: if you want the application, then you have to take the security you're given. And there are flow-on effects: it means that almost all the other code you use will be in C++, which has effects on security. Most of the hardware you buy will have been shaped by Windows Logo requirements.

posted Tue 27 Apr 2004 in /issues/security | link

A Hard Lesson to Learn

Joseph Lorenzo Hall writes

A HARD LESSON TO LEARN: don't use Microsoft Word's "Highlight tool" with the color set to black to redact documents--one can still copy and paste "highlighted" text!

The really interesting part about this DoJ case is reading the un-redacted document and seeing what was "blacked out" under FOIA exemptions (un-redacted document is here: http://www.thememoryhole.org/feds/doj-attorney-diversity-unredacted.pdf ).

I wonder how many other electronic FOIA-released documents are out there where a simple copy and paste will reveal redactions?

Pertinent paragraph:

"It turns out the [DoJ's] report began its life as a Microsoft Word document, and whoever was in charge of sanitizing it for public release did so by using Word's highlight tool, with the highlight color set to black, according to an analysis by Tim Sullivan, CEO of activePDF, a maker of server-side PDF tools. The simple and convenient technique would have been perfectly effective had the end product been a printed document, but it was all but useless for an electronic one."

posted Thu 30 Oct 2003 in /issues/security | link

Archives 2008: Apr Feb 2007: Jul May Feb Jan 2006: Dec Nov Oct Sep Aug Jul Jun Jan 2005: Sep Aug Jul Jun May Apr Mar Feb Jan 2004: Dec Nov Oct Sep Aug Jul Jun May Apr Mar Feb Jan 2003: Dec Nov Oct Sep Aug Jul Jun May

Copyright (C) 1999-2007 Martin Pool.