This week: Monday

Tuesday

Wednesday

Thursday

Friday

Saturday

Sunday TOP

Thursday, August 17, 2005 Subject: NASA says "it's too hard" Jerry, Regarding that NASA Marshall rocket engineer one of your correspondents reports as claiming X-33 proved Single Stage To Orbit was too hard without oodles more expensive new technology development, well... That reaction was both predictable and predicted, over eight years ago. From Space Access Update #71, May 6 1997, I quote: "X-33 we see as in real danger of failing - failing first flight, or turning into a "NASP II" technology playpen and never flying at all - in part because it was poorly-conceived (too many new bleeding-edge technologies included, too many Shuttle-replacement expectations tacked on, more a premature operational prototype "Y" vehicle than an experimental "X" ship) and in part because as best we can tell, the contractor top management has no urgent incentive to ensure that X-33 succeeds. Make no mistake, we'd like to see X-33 succeed. But if it does fail, we don't want to be hearing any nonsense about the failure proving SSTO can't work." Alas, we've been hearing nothing but that from NASA since. For far more about the history, technology, and politics of X-33 going down the tubes, see Updates #71, 84, 91, and 98. (If www.space-access.org is still down, try googling the sci.space.policy newsgroup archives for them.) Bottom line: NASA, predictably and predicted, screwed the pooch to the tune of nearly two billion dollars and most of a decade's time wasted. Worse, all they seem to have learned from the debacle is to give up even pretending to develop cheaper space transportation - their response to the President's "Vision for Space Exploration" challenge seems to be to use surplus Shuttle components to essentially duplicate the Saturns 1 and 5, forty years and much of a trillion dollars later. Assuming, of course, they're even capable of doing so. This plan still has to get past the White House and Congress; I suggest anyone with any influence there push for NASA *not* being allowed to develop their own space transportation ever again. Henry Vanderbilt Space Access Society The obvious remedy for an outfit that wastes a trillion dollars then says the job was too hard is to give the job to someone who will do it. How do you know if they can do it? Do not pay until it is done. Announce a ten billion dollar prize for a lunar colony. Announce a 5 billion dollar prize for true reusable space ships and engines. Don't award a nickel until the job is accomplished, then pay. NASA says it can't be done: why do they opposed prizes for those who might do what NASA can't do? The scoundrels. See below =========== Jerry P: The UK speed zone thing is interesting. Kind of reminds one of "Liars, damn liars, and statisticians". It would be interesting to see real information rather than summaries like that. Who decided where to put the speed cameras? Maybe it was a place where there was a higher likelyhood of accidents anyway. Etc. Is the conclusion that the cameras cause accidents? Maybe the drivers were watching their speedometers too closely and rammed into the car ahead? Did they put cameras on lonely roads with little traffic; and so on. Taking anything printed in the news media as in anyway factual is always a mistake without corroboration. Charles Simkins ================= w Subject: "This Will Make You Proud!" Sir, unfortunately, this web site didn't make me proud. The actions of that young Lieutenant DID make me proud, but the base use of his actions the way that site did makes my skin crawl. Just as I hate the use of casualties as a device for those who oppose the war (I also oppose the war), I loathe this as well. This isn't a "good news story", even though it is a story of heroism. That Lieutenant had to kill many people, up close and personal, and that is a tragedy. The fact that that is his job, and he did it well doesn't translate this into a "war success" story, just as the fact that soldiers are killed doesn't translate into a "war failure" story. The greatest generation had heroes, as we do now. But, ask Audie Murphy about his heroics. He lived his life suffering from post-traumatic stress disorder after the war, but no one can deny his heroism. Celebrate the marine, his heroism. But he was a hero before that happened, it's just that more people know it now. His heroic triumph is not "good news" about the war. I see much made by the supporters of this war about Mrs. Cindy Sheehan, and how terrible it is that she is allegedly using her son's death as a political tool. I have much sympathy for that woman and what she's doing, but little patience for those that are using her as a tool. I see this website in much the same way. Proud? No, very little about our actions in Iraq make me proud, but I'd serve beside that Captain any day, and I'd give my life for him and his marines. Of course, I knew that before. bryan Of course I get This while in an airport with pen. It requires a longer reply than I can give here. I do invite all to think on the proper attitude toward heroes & heroism in a faithless age. A nation that cannot honor or take pride in deeds of glory will have other and more serious problems. Those who have seen the elephant have their lives changed, some more than others; but that is Not the essence of The problem. Acts of war are done in the Name of us all. We must take responsibility, for we sent them to do their Work. Shall we eat the guilt yet have No share in the glory? Liberals would say yes. There is No glory. But can we live that way?? For Some reason I am reminded of a line from Scott's Bonnie Dundee. "With sour-visaged Whigs the Grassmarket was crammed, as if half the South had set tryst to be hanged." The Joyless Whigs were a well known feature of Revolutionary Scotland . Dundee rode to glory with a Song, with trumpets and kettle drums. Was this wrong? Should men fight and die with the sour visage of the true Whig? I ask but I have no final answer. (see below) =============== S ubject: Windows invulnerability >> But while we are at it, it remains true that not one properly updated Windows system has been hit with an infection not requiring cooperation by the machine's operator. << Jerry, that simply isn't true. Fully-patched Windows machines by the millions have been infected by worms *before* Microsoft has even issued a patch. But it's worse that than, because merely issuing a patch doesn't solve the problem. Zotob is just the latest case. Sure, Microsoft says they issued a patch and that all anyone had to do was apply it. But issuing a patch one day for a worm that arrives the next is no solution. Put yourself in the position of a corporate IT manager with a thousand (or ten thousand) WIndows boxes. Are you going to apply the patch to all those systems immediately? Of course not. In the first place, it takes time to get the patch rolled out to all your systems, even if you're foolish enough to trust Microsoft that the patch won't break anything. If you want to keep your job, you're going to test the patch first, which again takes time. Microsoft's whole patch strategy is a bandaid solution. The problem is that Windows is fundamentally insecure by design. The only real solution would be for Microsoft to rewrite Windows from scratch, and that isn't going to happen. Meanwhile, those of us running secure operating systems like Linux and OS X can only sympathize with those unfortunate enough to be running a piece of garbage like Windows. -- Robert Bruce Thompson For The first part of your statement Need to defer to Microsoft who say otherwise. Apparently though, all those corporate it people are fools or crooks or very likely both, who waste their employer substance on worthless dross instead of buying ample, or teaching their minions Linux. Such arrogance! They do not listen! or perhaps there is a case for Windows and it is valid? I use Windows because OS/2 was worthless in actual use although great in theory. I do not use Linux because much of the software does not integrate seamlessly. I admit that my early experiences with Linux discouraged me. On the other hand I see No great Advantage to using Linux here. That may be because I have not been bitten by worms or viruses other than an e-mail vectored Melissa a long time ago. . IF all I did was to write books I might use a different system. Joel Rosenberg has changed to Linux and loves it. Apple is a different story. We will see; but I can afford any Thing I like. Many readers cannot. The security story is not over. == Subject: Update Your Mac Dr. Pournelle: For the "My Mac is Better than yours..." crowd, this notice at the Internet Storm Center http://isc.sans.org (and other places), emphasis added: "Apple released patch set #7 for this year: http://docs.info.apple.com/article.html?artnum=302163 "A number of critical issues are fixed by this patch sets. Highlights include Apache2, Bluetooth and zlib. It is recommended that OS-X users apply these patches expeditiously. For some of these issues, exploit code is available for other platforms and may be adapted to OS-X. "Make sure you use version 1.1. of this patch set. Initially, Apple released 1.0 but it was missing a critical 64 bit library and broke some applications." Doesn't matter what OS you use, Windows, Linux, Mac, Sun, whatever ... updates, patches, firewalls are important. "I tell you three times..." I go to a lot of places on the "Interweb" with my fully patched/virus protected/firewalled Windows XP system, and no problems with my computer. Regards, Rick Hellewell is comment needed? I don't have problems-yet- either. = Subject: Latest Microsoft worm raises questions of support Jerry, (First, thanks for your books, especially those that you and Larry Niven work together on. I often get libraries and book stores to order them for me if they're not already there in the English language sections. I noticed one stocked up on all the ones currently in print after I ordered Gripping Hand from them. However, the following is somewhat more related to your technology columns. Something strikes me funny about the way the news has been reporting the lastest MS worms so it may not just be technology but politics.) The latest Microsoft worm raises two questions of support again, but none of the main news sources are asking them yet. I think the second question is far less controversial than the first and several magnitudes easier to solve: 1) Can MS simply not keep up or is it actually neglecting older products again to drive sales of newer ones? Though Windows 2000 is still supported, only XP and later where actually patched. Why? All three use NT-based kernels and the service in question is available on all three. Perhaps this is a possible preview of what current XP users will also experience a few years from now, just as their NT predecessors did. More and more it appears that Microsoft is falling behind on patches even after going to a monthly cycle. The question is, why? 2) Why has MS chosen not to release actual security patches and instead used the opportunity to force unrelated changes? Though MS has generated a multitude of "service packs", "patches", "roll outs" and "upgrades", none of these actually address security and security only. Instead these have all been bundled with changes in both configuration and functionality, sometimes unpopular ones, creating a situation which often forces customers to choose between skipping the patch or breaking mission critical applications. Competitors have long been able to separate upgrades in security from upgrades in functionality, in some cases for longer than MS has been on the Internet. For some, that has even been their ongoing strength. No one has called out MS for not providing actual *security* patches for its own products. Why? -Lars Lars Nooden And see below ===================== Subject: NASA says "it's too hard" Jerry, Substantial prizes for results (not one cent for "but we tried real hard!") is one good approach. An alternative that might be a bit easier to sell to Congress is good old-fashioned competition. From Space Access Update #98, March 8th, 2001, written in the context of X-33 finally getting a well-deserved stake through its heart while NASA's chosen followon "Space Launch Initiative" (SLI) already looked like nothing but more of the same: "The real lesson here is NOT to give NASA massive new funding and another five years - that would be pouring money down the same old NASA RLV monopoly rathole. The lesson of X-33 is, next time give the job to people actually willing to go at the problem in a manner that gives them a chance of solving it with the wide array of advanced technology that's already practical and available. "This means letting multiple other agencies take a crack at the problem, in competition with each other, so "it was too hard" after a half-assed screwed up effort is no longer a safe excuse. Multiple competing outfits, possibly inside NASA (Ames and Dryden, Glenn, or Langley Centers come to mind) but certainly outside (DARPA, AFRL, NRL, NSF, and DOT are some possibilities) should now get a chance. "Slice up the SLI budget a half-dozen ways, set a half-dozen agencies loose on the problem, encourage them to take chances with streamlined procurement and non-traditional vendors, and tell them that every four years, the two most successful among them get 50% of the budgets of the two least successful. Then stand back and watch the RLV's fly!" Four years later, it's still good advice. I look at NASA's current drunkard's walk towards reinventing Apollo because they've failed at all they've tried since, and I wonder if we'll ever learn. Thirty years and most of a trillion dollars... Henry Vanderbilt Space Access Society Competition works only when there are competitors. Tthe aerospace industry is a Conspiracy to divide the Spoils among the existing Companies. They will not Compete! They will lobby. Adam Smith described it. Barriers to entry. No Capital investor will take on the Established. Prizes at least allow the possibility of New Companies. Contracts to the big guys assure the oligopoly will Rule forever. I can support X programs but USAF no longer knows how to manage X programs or even What they are. NASA knows and hates them. Aerospace Corp once knew what X program are but I doubt does Now. Your Competition will be a race to the lobby. Depend on it. Industry does not Want to Compete. Perhaps I despair prematurely, but I do not think so. Small programs, tens of millions at most, spread widely to encourage new companies. That may work. But big contracts to the giants feeds the beast. Still on plane with pen, excuse the errors. (Continued below) =============== Subject: William E. Odom: What's wrong with cutting and running? Hello, Jerry, "Everything that opponents of a pullout say would happen if the U.S. left Iraq is happening already, says retired Gen. William E. Odom, the head of the National Security Agency during the Reagan administration. So why stay?" http://www.niemanwatchdog.org/index.cfm?fuseaction=ask_this.view&askthisid=00129 Powerful arguments. Regards, John Welch Actually, that's a decision well above my pay grade. Above General Odom's for that matter. The problem is this: if the enemy perceives that we will not stay the course, then that is a great incentive to continue, to throw in the last reserves, as the North did in Viet Nam. Had they been convinced that the US would never leave, and that every invasion from the North would end as the 1972 invasion ended, with 100,000 casualties at small cost to the US, it is likely that the North would have given up; or that the Soviet Union would write off Viet Nam as an expensive rat hole into which was poured the wealth that might have been used to build up the USSR. But so long as the NV polit buro thought they could win, they were willing to sacrifice the lives of their young men to the fight. I am not privy to the discussions among the terrorists and Islamic jihad councils, but I would guess that some of that logic prevails there. The last struggle between the West and Islam took hundreds of years, and was not really ended until Suleiman was defeated at the gates of Vienna; some would say it was not really decided until a hundred years after that. The West was divided then, and endured the 30 Years War prior to the final defeat of the Turks. From the Islamic point of view it was a near thing. Is that the case here? I don't know. I would as soon declare victory and bring the forces home and use technology to make America safer; let Europe look to its own defenses, such as they may be. But again such decisions are made in places other than my study. And the worst of it is, if enough in America waver, the effort is surely lost. Does that mean one continues to throw two or three troopers a day into a meat grinder? But yet -- more die on the highways and we are not going to take the cars off the road. ============== Subject: Retro-chic. http://www.retrothing.com/2005/08/the_imsai_serie.html - Roland Dobbins ========== Subject: Microsoft and Patches and Worms and Linux Dr. Pournelle: I respect Robert Thompson's expertise in things computerish. I've been reading his blog for several years (through the "Daynotes Gang", of which I am proud to be a member). But each time he mentions Microsoft, I just know he is going into another 'rant' against them as the "evil empire". I take exception to many of his statements posted on your mail pages this week (and similar rants on his pages). For instance, "Fully patched Windows machines by the millions have been infected by worms *before* Microsoft has even issued a patch". I have previously stated that my computer, which is fully (and timely) patched, has *never* been infected with a virus/worm. That is not only because of my policy of automatic updates, but because I practice "safe computing" (even though I do, as part of my job, go to some 'dark places'). It's my responsibility to compute safely. But it's not just my experience. There is research that verifies that patching is important, even if you *do* go to 'dark places'. Example: An interesting research paper from Microsoft and their "HoneyMonkey" project. The paper is here ftp://ftp.research.microsoft.com/pub/tr/TR-2005-72.pdf , and is described by Microsoft as: "Internet attacks that use Web servers to exploit browser vulnerabilities to install malware programs are on the rise. Several recent reports suggested that some companies may actually be building a business model around such attacks. Expensive, manual analyses for individually discovered malicious Web sites have recently emerged. "In this paper, we introduce the concept of Automated Web Patrol, which aims at significantly reducing the cost for monitoring malicious Web sites to protect Internet users. We describe the design and implementation of the Strider HoneyMonkey Exploit Detection System, which consists of a network of monkey programs running on virtual machines with different patch levels and constantly patrolling the Web to hunt for Web sites that exploit browser vulnerabilities. "Within the first month of utilizing this new system, we identified 752 unique URLs that are operated by 287 Web sites and that can successfully exploit unpatched WinXP machines. The system automatically constructs topology graphs that capture the connections between the exploit sites based on traffic redirection, which leads to the identification of several major players who are responsible for a large number of exploit pages." (For more information on the Strider Honeymonkey research project, visit http://research.microsoft.com/honeymonkey, including the PDF of the article here: ftp://ftp.research.microsoft.com/pub/tr/TR-2005-72.pdf . It's a bit technical, but interesting.) Note that they tested various levels of unpatched WinXP systems. They found that a patched system is much more protected. From an article at SecurityFocus: "Among the researchers other findings is that even a partially patched version of Windows XP Service Pack 2 blocks the lion's share of attacks, cutting the number of sites that could successfully compromise a system from 287 for an unpatched system to 10 for a partially patched Windows XP SP2 system. A fully patched Windows XP SP2 systems could not be compromised by any [of these] Web sites, according to the group's May-June data. (The zero-day exploit of javaprxy.dll happened after this data set.) " [See Table 1 in the Microsoft report.] ***No exploits on a fully patched XP system.*** And those systems went to very dark places. Linux is not perfect, and needs to be regularly patched. Does that make it a less secure product? Firefox/Mozillia has vulns that needs regular patching. Open-source apps (large and small) have vulns that need patching. Several open source blog/diary-type sites (PHP-based) have vulns that need patching. One big exploit last year was the attack on web-based advertising servers running exploitable Linux OS. Just by visiting a high-profile page (news or entertainment sites) and getting an ad from that compromised ad server infected computers. So you say to "change to Linux". How are you going to keep your Linux computers updated? Shouldn't you? There are lots of vulns for Linux computers; lots of patches to install. I see dozens of Linux-based bug reports every week on the "BugTraq" mailing list for open-source software large and small. I believe that Microsoft has made great progress in security. You can see how the security folks at Microsoft are working hard to protect their systems (there are lots of MS staff writing blogs related to security and malware). A chef knows that he needs to keep his knives sharp, and the gas bill paid. Without the proper tools, the chef is out of business (a "Denial of Service"). A responsible corporation knows that the tools they use have to kept current. Or they can be out of business. (Oops... I didn't pay the phone bill. So it's the phone company's fault my phones don't work.) A responsible corporation can keep their computer patched, and quite easily. At my "large municipal government agency", we use the *free* Microsoft Update Server (now called "Windows Software Update Server) to automatically keep the workstations and servers current. MS releases a patch, a couple of checkmarks at the WSUS update interface, and workstations are updated. Yeah, it requires a server. Yeah, it took a bit of effort to set up the user's computers (we just pushed down registry settings). Yeah, the user's computer may restart. But our 2500+ Windows computers are protected and updated. Responsible corporations (and users) with Windows computers can be protected against malware. Automatically, with minimal effort once everything's set up. No matter which tool you use, you need to do updates. If you don't, then don't complain when your tool doesn't work. And don't blame the tool manufacturer. It's your fault. *You have to take responsibility*. ("I'm sorry that you ejected through the windshield during the car crash. The seat belt was there; you chose not to wear it. Must be the car's fault." "Oops, cut yourself again, didn't you. Must be the knife's fault." "Phone doesn't work? Didn't pay the bill? Must be the phone company's fault." "Didn't change the oil as often as you should have? Must be the engine's fault that it seized up.") (Sorry for the length ... thanks for your patience.) Regards, Rick Hellewell, Security Guy Let's all of you fight, it's too late at night for me. (But clearly I have great respect for Mr. Thompson, but in this instance I am far closer to Mr. Hellewell.) (And see below) ================ g Subject: Spear Phishing Buffy Willow Dr. Pournelle, Found via Rand Simberg <http://www.transterrestrial.com> , http://www.computerworld.com/securitytopics/security/story/

0,10801,104000,00.html?source=NLT_AM&nid=104000 Not only can you no longer open unexpected email attachments, but you better call your boss or the IT department to confirm this. Sincerely, Bruce Jones TOP CURRENT VIEW Thursday