Zeroday 01100100011010010

I have been tracking Nigeria for the past few months to see if China has been outsourcing their technical know how of censorship techniques. There was an interesting Businessweek article which disclosed that China is in fact selling radio jamming technologies to Zimbabwe to supress dissidents. Derek Bambauer asks some difficult questions in a Legal Affairs article called Cool Tools for Tyrants. IBM was known for selling tabulation machines to the Germans during the part of their history they’d like to forget. Are we repeating these mistakes by not slapping Cisco et al for the same atrocities?

eEye and Determina have both put out third party fixes for the latest Microsoft IE patch. The relative public utility of this altruistic move is difficult to determine. On the one hand we have two companies who have stepped up and severed the obvious lead time worm writers and other malicious web site operators intent on owning your PC have. Once the flaw is announced everyone has to sit on their hands until Patch Tuesday rolls around. Smaller firms are the most likely to be hit and the least important to someone like Microsoft. Providing this patch is a good thing then since Microsoft is incapable of producing a Quality Assured patch in time.

On the other hand it is possible that Microsoft could produce the patch if it leveled more resources at the issue. Fixing products they have already received revenue for is nothing but a cost center for Microsoft. They have only negative press which bleeds more cost from future sales
to inspire them to put out patches in a timely fashion. If Microsoft’s work is done for them by “do gooders” like eEye then what use is it to pressure Microsoft to put out the patch sooner? What if there wasn’t an eEye there to do their work for them?

[edit]
An interesting (unconfirmed) post on slashdot from one of the Determina engineers:

Source code for the eEye patch. Written by Derek Soeder

This was a very intensely discussed topic when I worked at Symantec. The company I worked for originally (@stake) was known for releasing security advisories. It was a large part of the PR machine and a staple for most network security firms. Symantec wasn’t sure how to deal with this and through the very diligent work of a few employees it seems the process is back. The advisories seem a little anemic to me but something is better then nothing.
What is missing of course is actual details of how to exploit the flaw. There are several reasons why this information isn’t available and will never be available from Symantec. First is the OIS which Symantec is a member of. This body forbids the “irresponsible” disclosure of vulnerability details. This position is debatable. Common practice these days allows a smart reverse engineer the ability to pick apart the patch itself and obtain whatever details that are relevant. There are cases where obscuring this information works and also cases where it hinders safety.
Second is the nature of the firm. Symantec is a large company and has very deep pockets. So putting out exploit code would expose the company to legal action. Whether or not prosecution would ever succeed is irrelevant. The “transaction cost” alone for someone of Symantec’s size would insure that PR and Legal would gang up to enforce a no disclosure rule. I would wager both teams, at the very least the latter, were against this move. The rumor mill states that these teams were the ones who killed off the L0phtcrack password auditing software line (LC5) and the incredible WebProxy software. The latter likely died from it’s inability to generate 100M in revenue per year which is the magic number for Symantec.

I found this string in my MP3 comments that looked like it was in hex.
00001592 00000000 00013426 00000000 00045492 00000000 00007dfe 00007dfe 0003db0a 0003db0a

It is in hex but the results are in the higher ascii range. it wouldn’t be readable. It is interesting that someone could feasibly search for this GUID and send a cease and desist at the bearer of this code. What if someone just generates a series of random four byte codes in hex?