In the News

Microsoft Fixes Critical 19-Year-Old SChannel Bug, But No Patch For XP provided by Mark Bohannon

Originally posted on  No patch for unsupported XP, even though some say the “Winshock” bug in Windows’ SSL/TLS installation is worse than Heartbleed.

Microsoft has patched a critical 19-year-old data manipulation vulnerability that’s been lurking in every version of Windows — both server and client operating systems — since Windows 95 (MS14-066). Windows has not released a patch for the now unsupported Windows XP.

This critical bug in Windows SChannel, Microsoft’s implementation of SSL/TLS, is remotely executable and could be used to run malicious code on vulnerable systems by sending specially crafted packets to a Windows server. It has been rated a 9.3 on the CVSS scale. The vulnerability, called “Winshock” by some, is next on the list of bugs exposing SSL/TLS installations — like OpenSSL’s Heartbleed (for which Microsoft did release an XP patch after support officially ended) and the vulnerability in Apple Secure Transport released in the spring.

“Is WinShock as bad as ShellShock and Heartbleed?” asks Gavin Millard, EMEA technical director at Tenable Network Security. “At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like SChannel is up there with the worst of them.”

So far, no exploits of Winshock have been reported in the wild.

Winshock was discovered and privately disclosed by researchers at IBM X-Force in May. As Robert Freeman, manager of IBM X-Force Research, explained in a blog post:

This complex vulnerability is a rare, “unicorn-like” bug found in code that

      [Internet Explorer]

relies on but doesn’t necessarily belong to. The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free.

Freeman acknowledges that exploitation is “tricky.” He describes how the vulnerability, which originates in “some very old code within the OleAut32 library,” can be exploited remotely via the Visual Basic Script present in all versions of Internet Explorer since IE 3.0.

This bug is significant, he says, because it shows that critical vulnerabilities can be overlooked for nearly 20 years. “It indicates that there may be other bugs still to be discovered that relate more to arbitrary data manipulation than more conventional vulnerabilities such as buffer overflows and use-after-free issues.”

Bromium Labs security researcher Jared DeMott tells us:

One of the interesting bits in this story is that Microsoft is not really saying exactly how bad this bug is for the client. The vulnerability bulletin provided calls out servers as the potential victims, but the SSL/TLS stack is used every time your browser connects to a secure website, which most are these days. And it would be straightforward for an attacker with details of this vulnerability to host a malicious site that offers “security” via the bogus SSL/TLS packets. Could a malicious website exploit IE with this bug? Until someone reverse engineers the patch, we’ll have to wait to hear about how bad it is.

Millard says that “no proof of concept code has surfaced yet, due to Microsoft thankfully being tightlipped on the exact details of the vulnerability.” Nevertheless, “it won’t be long until one does which could be disastrous for any admin that hasn’t updated. It is of critical importance that all versions of Windows are updated due to the ability of attackers to execute code on the server remotely, allowing them to gain privileged access to the network and lead to further exploitation such as infect hosts with malware or rootkits and the exfiltration of sensitive data.”

Joe Barrett, senior security consultant of Foreground Security says that Winshock “will most likely be the first true ‘forever-day’ vulnerability for Windows NT, Windows 2000, and Windows XP. As Microsoft has ceased all support and publicly stated they will no longer release security patches, enterprises who still have Windows 2000 and Windows XP machines will find themselves in the uncomfortable situation of having an exploitable-but-unpatchable system on their network. Security researchers and blackhats alike are most likely racing to get the first workable exploit against this vulnerability, and the bad guys will begin immediately using it to compromise as much as they can. As a result, enterprises need to immediately deploy the patch to every system they can and also begin isolating and removing the unpatchable systems to prevent serious compromise of their networks.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

U.S. Digital Services and Playbook: “Default to Open” by Mark Bohannon

U.S. Digital Services and Playbook: “Default to Open” by Mark Bohannon

Originally posted on About this time last year, I laid out some trends I saw for the coming year in government take up of open source software. Looking back now, it appears those trends are not only here to stay, they are accelerating and are more important than ever.

In particular, I wrote that “open source will continue to be the ‘go to’ approach for governments around the world” and that “increasingly, governments are wrestling with the ‘how tos’ of open source choices; not whether to use it.”

Recent developments in the United States highlight these points.

First, the White House (via OMB and the Federal CIO) has issued a Digital Services Playbookdescribed in some quarters as “something of a marvel for an official government policy: it’s elegantly designed, has clear navigation, and is responsive to any device you choose to view it upon.” It is well worth a read.

At its core, the Playbook is about more agile use of reusable software and processes that focus on the customer. Central to that approach is its emphasis on open source. The final ‘play’ in the Playbook captures the notion of ‘Default to Open’. Play 8 encourages agencies to ‘Choose a Modern Technology Stack’. “In particular, digital services teams should consider using open source, cloud based, and commodity solutions across the technology stack, as these solutions have seen widespread adoption and support by the most successful private-sector consumer and enterprise software technology companies.” It clearly states, “Consider open source software solutions at all layers of the stack.”

Of course, none of this is entirely new. One can find echoes of all these points in earlier Administration policy statements. For example, its ‘Shared Services‘ strategy clearly calls for use of open standards in data and information exchange and states clearly the technology principle that “open-source software solutions should be included in alternatives analyses.” (If there is one concern I have with the Digital Services Playbook, it is that there is an ‘old school’ statement that “open source solutions are [to be] evaluated alongside commercial solutions when technology choices are made,” a throwback to the days when there was confusion on this front. In fact, the US government has long recognized that open source software is, in fact, commercial software.)

The Digital Services Playbook bears strong resemblance to the principles driving the United Kingdom’s (UK) Government Digital Service (GDS), announced in 2013. As Mike Bracken, the head of the UK’s DGS said in an interview, “The principles by which we work are nothing more than applied common sense in the Internet age. If they make sense, use them: they’re for everybody.” The same can be said for the US government’s Playbook.

Second, the Administration also announced two other initiatives this summer. One was the creation of 18F, which will be housed at the US General Services Agency (GSA). Also known as “Digital Services Delivery,” 18F is a self-described ‘open source team’ that encompasses the Presidential Innovation Fellows and an “in house digital delivery team.” 18F has published a policy which clearly states as its mantra to:

  • Use Free and Open Source Software (FOSS) in our projects and to contribute back to the open source community
  • Create an environment where any project can be developed in the open
  • Publish all source code created or modified by 18F publicly

And, on August 11, the White House announced a new U.S. Digital Service, which it described as “a small team made up of our country’s brightest digital talent that will work with agencies to remove barriers to exceptional service delivery and help remake the digital experience that people and businesses have with their government.” It is the Administration’s intention that the two groups “will collaborate closely.” The U.S. Digital Service will, as far as I can tell, be the proverbial shepherd herding the cats.

My colleague, Gunnar Hellekson, Red Hat’s North American Public Sector Chief Technology Strategist, has posted a thoughtful blog: U.S. Digital Service is Born. It is well worth a read, as it highlights both the challenges and opportunities facing these recent initiatives. As he says, “the questions of talent, agency appetite for change, procurement reform, and the bureaucratic home are all implementation details.” Yes, it’s about the how of open source software (and IT reform generally); it’s not about the whether.

These initiatives, particularly 18F and the U.S. Digital Services, are just getting started. By any measure they are works in progress. While there are some lessons from the UK experience to draw on, as one report indicates, “unlike the United Kingdom’s Digital Government Service, the United States has not created a singular new entity with a large budget and spending authority. Nor has it hired dozens and dozens of top technologists at high pay grades who then set about building core digital services for the country, although 18F merits comparison. Instead, the USDS will work with federal agencies as they create or upgrade services and products.”

The question for the US, however, is not merely staff size or budget, per se. Rather, it is assessing the ‘gap’ or problem where it can make a difference. And making sure that the lessons from prior US government efforts to develop open source software are not lost.

As I laid out in my post last year, I assessed government’s growing use of open source software and observed, “If government IT professionals rely solely on ad hoc rules or seat-of-the pants judgment, this exposes government agencies to significant risk that is not, at present, properly documented or understood.” I identified at least three areas where the ‘how to’ of open source needs to be considered:

  • There are distinct risks associated with choosing a freebie/insourced model for use of open source software. In particular, community/freebie projects or insourced projects are likely to lack key security certifications, regular updates, support from third-party vendors, and interoperability with your critical applications.
  • Relying on freebie/insourced open source software effectively means a strategy of relying on internal support for critical mission which is unknown territory and potentially expensive, given the difficulty of obtaining and retaining qualified IT and management personnel.
  • We could see a repeat of the failures and long-term costs associated with ‘government-off-the-shelf’ (GOTS) solutions. Although the projects may be, technically, commercial items as generally understood by governments, they present the same risks and economic liabilities as government-off-the-shelf software.

In my interview with David A. Wheeler, the long-time recognized leader in advising and working with the US government on issues related to open source software, he elaborated on the last point. “Project forking is still a big problem. … Government employees who are officially managing the project may be smart in general, but they often know little about software. Obviously, managers who don’t understand what they’re managing are often easily fooled. For example, government managers often don’t realize that most software costs are in maintenance and typically do not understand that maintenance costs can be greatly reduced (through sharing) if changes are released back to a larger community. … Part of the problem is that in most agencies, the easy thing to do is to create project-special forks, even though it is almost always the highest-cost and highest-risk approach for maintenance.”

As one step to mitigate that risk, Wheeler pointed to the open source software policy created by the Consumer Financial Protection Bureau (CFPB). In the CFPB approach, software developed using government funds must be released as open source software unless a special waiver is granted.

To their credit, 18F has built on that example and established as a key operating principle that it will publish all source code created or modified by 18F publicly. And the Digital Services Playbook in its ‘Default to Open’ play suggests for agencies to, “when appropriate, publish source code of projects or components online… and share your development process and progress publicly.”

Notably, this key Play advises agencies to “ensure that we maintain the rights to all data developed by third parties in such a manner that is releasable and reusable at no cost to the public… [and] that we maintain contractual rights to all custom software developed by third parties in such a manner that is publishable and reusable at no cost.”

In the end, 18F and the U.S. Digital Service will be successful if they set by way of example and show leadership with US agencies on the ‘how to’ of open source software. They need to focus on instilling best practices across government as they work to implement this key tenet of IT reform, centered on agility, reusability, and default to open.

This measurement of achievement may be as, if not more, important than any specific application or tool that emerges from their efforts.

Doubling down on government technology by Luke Fretwell

Doubling down on government technology by Luke Fretwell

Originally posted on     We’ve recently seen an uptick in venture capital interest around government and civic technology startups, but before we enthusiastically celebrate these investments, we must ask ourselves whether this potential bubble will truly reshape government IT or simply leave us five years from now in the same place we are today.

During the Code for America Summit in September, Govtech Fund’s Ron Bouganim and Code for America Director of Products & Startups Lane Becker had a great “Emerging Startup Ecosystem” discussion about the the difference between civic and government technology, and the latter’s focus on solving inherent bureaucratic problems.

Bouganim’s closing comments have stuck with me since watching the interview, and they’re important for us all to think about as we commit to building technology solutions, whether it’s for internal government operations or public-facing citizen engagement applications:

“It is tough because it’s early. Clearly everybody in this room is transformers. These are the folks … that are at the front of this, so it’s tough, because you often at times feel alone, but I think there’s a growing community, and it’s only going to get better. So, I guess my fundamental advice is that if you’re really passionate about this space, and you really identify a big problem, you have to kind of double down on being an entrepreneur. It’s hard enough being an entrepreneur and, in an emerging space like gov tech, you have to double down on that, and I would just encourage you to stick with it.”

Announced in September, Govtech Fund will invest $23 million into government-focused technology ventures. Recently, Y Combinator also expressed an interest in the industry when it issued a request for startups that included those focused on the public sector. Andreessen Horowitz has already invested $15 million in OpenGov, focused on bringing visualizations to government budgets. Other startups such as Socrata and MindMixer have also received multi-million dollar infusions to build the future of public sector IT.

Given the consistent inability for government projects to deliver on time or on budget, especially in the light of recent, major IT failures, we’ve collectively identified the problem. While much of this is due to culture, bureaucratic procurement processes and waterfall project management practices, the fundamental issue with failed government IT is that it is built on proprietary solutions.

Because of this, not only do we not have access to code, more importantly, we lose an opportunity to create an ecosystem of community and collaboration that sustains itself. To put it in context of the latest civic meme, today’s government technology is built for, not with.

The early trend we’re seeing in government technology venture investments is that the focus is still on the proprietary. While this will have incremental benefits and provide short-term excitement with each new launch, they don’t address the bigger issue every government faces in harnessing control over their IT systems.

They’re locked down and locked in.

The argument you often hear when discussing open source with proprietary government technology startup entrepreneurs is that businesses need some form of competitive advantage to build a product and develop a customer base with enough runway to sustain itself longer term. While this makes sense in a commercial market, it addresses the needs not of government, but that of the entrepreneur. The technology may provide a cutting-edge, cloud-based, big data, mobile or social solution worthy of a press release or mention in the trades, but what is it doing to really change the IT conundrum we can’t seem to procure our way out of?

This isn’t to say these new technologies don’t have merit or their builders don’t have good intention. Indeed, some do, however, there’s a classic innovation wall proprietary government IT software hits when it has reached a certain level of customer acquisition and no longer needs to compete. Oakland’s recent insistence that Granicus open up its application programming interface is exhibit A on what happens when a vendor corners a government market: technology stagnation trumps innovation. Without open systems or modularity, government is safely locked in.

We frequently hear the vending machine analogy applied to government. Today, the vending machine is the proprietary vendor machine, and government is the one doing the shaking.

If we’re going to double down and truly build a civic operating system anyone can plug into, and be proud of, we must invest in a strategy that sustains beyond one software solution.

We need to double down on a philosophical approach to government technology.

There’s not an overnight solution and the problem won’t be solved tomorrow, but if you’re really in this business to transform government, whether you’re an entrepreneur or investor, it’s time to double down on open.

Government can, literally, no longer afford to operate business as usual when it comes to technology. If ‘Vendor 2.0′ is simply a new class of fresh faces operating no differently than its predecessor, let’s prepare our kids for disappointment.

You’re either investing in or building tomorrow’s problem today, or you’re co-creating the future of government.

The latter might be a longer, lonelier road, but we have to stick with it because, as Bouganim says, it’s only going to get better.

Let’s double down.

22 Years Ago Torvalds Sent the Email That Started Linux

22 Years Ago Torvalds Sent the Email That Started Linux

What started as an idea for an interesting project 22 years ago was kicked off by a single email from Linus Torvalds –

To: Newsgroups: comp.os.inix
Subject: What would you like to see most in minix?
Summary: small poll for my new operating system

Hello everybody out there using minix — I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386 (486) AT clones. This has been brewing since april, and is starting to get ready. I’d like any feedback on things people like/dislike in minix, as my OS resembles it somewhat (same physical layout of the file-system (due to practical reasons) among other things).

I’ve currently ported bash (1.08) and gcc (1.40), and things seem to work. This implies that I’ll get something practical within a few months, and I’d like to know what features most people would want. Any suggestions are welcome, but I won’t promise I’ll implement them :-).

Linus (mailto:

PS. Yes — it’s free of any minix code, and it has a multi-threaded fs. It is NOT protable (uses 386 task switching etc), and it probably never will support anything other than AT-harddisks, as that’s all I have :-(.

Using Open Source to Fight Fraud

In her June 04, 2013 article, Fixing welfare fraud requires technology reform, Melissa Threadgill of the Boston Globe calls on Big Data and Open Source Software and Open Standards to fight fraud.

“This is why state government needs to dramatically rethink its approach. Big, expensive, proprietary systems need to be replaced with off-the-shelf, open-source programs that can easily be adapted and updated with the latest technology. State agencies should adopt common data standards, preferably in concert with the federal government, to make data-sharing between agencies easier, and they should prioritize operating on platforms that can easily communicate.”

Threadgill cites Kansas and California as examples of using Open Source wins in the fight against fraud. “Kansas increased legislative transparency, improved Web functionality for citizens and lawmakers, and saved over $850,000 a year by moving to an open-source, cloud-based system.” Threadgill noted that since California built, “a new integrated computer network through a combination of off-the-shelf systems and open-source software, the California Department of Child Support Services increased performance, improved data quality, and reduced operating costs.” Both are big successes for the citizens of Kansas and California enabled by Open Source.

Read Threadgill’s full story at

Open-Source Backers March on Washington

Look out, lobbyists: Here come the open-source zealots.

Some of the world’s largest technology companies have banded together in a bid to push open-source software on the United States government. They’ve formed a group called Open Source for America, which seeks to make sure that government agencies at least consider open-source software as an option in their buying decisions. The big, rather timely pitch behind this move is that open-source applications can help save the government money.

“The market for open-source software is growing dramatically, but there still needs to be education around understanding how to get the most out of it,” said Roger Burkhardt, the chief executive of Ingres, a maker of an open-source database, who is on the Open Source for America board of advisers. “There are quirks to the government procurement process that need to be addressed.”

Open-source companies often give away their base product and then charge customers for support and other services. This model, according to Mr. Burkhardt, can perplex government bodies used to buying software upfront. In addition, the group hopes to make sure that open-source software receives the necessary federal nods for use in things like drug approvals and high-security computing projects.

Some of the initial members of the organization include Google, Oracle, Red Hat, Advanced Micro Devices, Novell and Canonical. A host of smaller open-source software makers are involved as well.

The board of advisers is more or less a Who’s Who of open-source advocates, including Eben Moglen, a prominent lawyer; Mark Shuttleworth, the chief executive of Canonical; Michael Tiemann, a vice president at Red Hat; and Jim Zemlin, the executive director of the Linux Foundation.

The government has aimed a large amount of its stimulus money at technology projects, and the open-source backers hope to get their fair share of that cash. More broadly, they would like the United States to follow countries in Europe and Asia with better defined guidelines around buying software.

The open-source “movement,” if you will, continues to have some grass-roots momentum, with developers working without charge to improve projects like the Linux operating system and Mozilla Web browser. That said, large companies have come to dominate the open-source world. I.B.M., Google, Intel and others employ many of the best known open-source programmers and have made the software a key part of their internal operations as well as their business strategies.

Regardless of their affiliation, open-source types have demonstrated a fondness for backing free software in a vocal, often argumentative manner. They’re sure to give the lobbyists working for proprietary software companies a run for their vocal cords and money.