Keeping an eye on the coders: a new idea to eliminate flawed programs

codeHere’s an interesting new idea from Microsoft – a radical solution to the problem of buggy code.

The new paper, posed by Redmondian Andrew Begel and a group of Zurich university boffins, suggests managers monitor programmers via EEG, EDA and eye-tracking sensors. These will alert them when the individual is struggling and therefore likely to introduce flawed code.

Now, it sounds like a pretty good idea in theory, and in practice has apparently performed pretty well. But one security expert I spoke to had some major misgivings.

Imperva co-founder and CTO Amichai Shulman argued that it might stray outside the boundaries of what could be construed “reasonable”.

“I think constantly monitoring the psychological status and the physical conditions of programmers, seems tremendously intrusive and probably strays way off from what I consider to be ‘reasonable means’,” he told me.

“However, I think that even if we review this in the cold eyes of a software professional there are some doubts about the usefulness of this method in general and its application to security vulnerabilities in particular.”

The first doubt he had relates to the tremendous commercial pressure coders are under to release “more functionality in less time”.

“On their way to achieving higher rates of LOC/sec, programmers as well as their employers are willing to sacrifice other attributes of the code such as efficiency, readability and also correctness – assuming that some of these will be corrected later during testing cycles and some will not be critical enough to be ever fixed,” he explained.

“If we introduce a system that constantly holds back on programmers because they are stressed for some reason we will effectively introduce unbearable delays into the project which will of course put more pressure on those who perform the job when schedule becomes tight.”

This is not to mention the fact that programmers should, at times, be “over” challenged to keep them sharp and happy with their roles.

“Additionally, there’s a big question of whether we can have a system like that can make a distinction between making a critical mistake or a minor one, which again impacts its ability to have a positive effect on the software development process in general,” said Shulman.

Then, of course, there’s the issue of what kinds of flaws the system will root out.

“I think that most security related mistakes are introduced inadvertently as a consequence of the programmer not having the faintest idea regarding the potential implication of some implementation decision,” he argued. “This is the case with SQL injection, XSS, RFI and many more vulnerability types.”

So, bottom line: nice idea Microsoft, but it’s probably not going to solve the problem of poor coding anytime soon. Until something genuinely revolutionary comes along we’ll probably have to stick to the usual suspects to reduce risk: security tools, patching, better QA and testing.

No-IP? No idea. Why Microsoft faces an uphill battle to restore trust

big dataTo say this week was a bad news week for Microsoft would be putting it mildly.

First, its heavy handed decision to stop emailing security updates to users (in response to new Canadian anti-spam laws) was u-turned in a rather embarrassing manner.

Then came something much worse as Redmond’s Digital Crimes Unit (DCU) unilaterally sought a court injunction to seize control of 22 domains belonging to DNS firm No-IP.

It did this to arrest the spread of malicious activity on some of the domains, but with good reason commentators are already calling its strategy misjudged this time around:

  • No-IP was not informed of the take-down, nor was it working in collusion with the cyber criminals. It also pleaded that it has always co-operated with the authorities when asked on such matters previously.
  • Microsoft was unable to filter good traffic from bad, leading to millions of legitimate No-IP customers left without a service earlier this week.

Europol special advisor on internet security, Brian Honan, told me that the incident will further undermine the credibility of tech giants like Microsoft, which has already taking a pasting thanks to the NSA spying revelations from whistleblower Edward Snowden.

He raised a number of valid concerns with me by email:

• If No-IP were not contacted by Microsoft DCU regarding the abuse of their services what right have Microsoft DCU got to determine how good or bad the No-IP abuse mechanisms were? Indeed, what is the criteria and standards that Microsoft used to determine how responsive the No-IP abuse desk is? Are all service providers, including Microsoft, now expected to meet the requirements and expectations of Microsoft DCU? And if not can they expect similar interruptions to their business?
• Microsoft DCU also showed they do not have the technical capabilities in managing Dynamic DNS services and subsequently have impacted many innocent users and businesses, how will Microsoft DCU ensure
• There are also concerns over Microsoft infringing on the privacy of No-Ip’s legitimate customers.  In effect Microsoft diverted all of these customers’ internet traffic via Microsoft’s systems. An action that could place No-Ip and Microsoft in breach of their own privacy policies and indeed various privacy laws and regulations

This is probably the first major mis-step by the Digital Crimes Unit, and it will need to re-examine its procedures and processes very carefully to avoid a repeat. Its loss of face in this incident will only benefit the cybercriminals if it makes Redmond and others more hesitant to take action in future cases.

News of the World hackers, hacked ATMs and celeb snooping

news of the worldNews of the World private investigator Glenn Mulcaire was this week revealed to have gone to extraordinary lengths to hide his illegal tapping of celebrities’ voicemails: hacking an ATM to use its phone line.

I covered the story here for Infosecurity Magazine but thought it was worth including some extra comments.

Mulcaire’s cover was finally blow when BT sent a bill for the landline to the ATM owner, who forwarded it to the convenience store in which it was located, in a scruffy part of south London.

Sophos senior security advisor, Paul Ducklin, explained to me that Mulcaire probably chose an ATM line rather than tapping a copper phone line via other means, for several reasons.

“1. Unlike a fax machine the line never plays through a speaker for feedback purposes. Fax machines usually play their modem noises for a few seconds as part of the ‘user interface’.

2. If you interrupt a data transmission, the system will probably sort itself out automatically later on and no-one will realise that it was deliberate, rather than just a glitch. And you’ll hear the modem trying to come on-line, so you can hang up temporarily to get out of the way.

3. It’s likely to be a rented service that bundles in the phone line, so the bills probably go through a convoluted route to the person where the line is actually installed, making detection more complex – as happened here.”

He stressed the important of business owners checking their phone statements, just as one should bank statements or those belonging to online accounts, for any signs of suspicious activity.

“Cybercriminality usually leaves traces, and the one thing you can be sure of if you don’t make a habit of looking for those traces is that you won’t find them,” Ducklin told me.

“In various recent high-profile credit card breach cases, the afflicted retailer found out because someone outside the organisation noticed suspicious patterns of fraud. Best not to wait until someone else finds out before you do.”