Ladeeeeez and gentlemen!

Well, methinks Linus is going to be “security villain of the week” for a few days again.

http://www.networkworld.com/news/2008/081408-torvalds-security-circus.html?hpg1=bn
Problem is, he’s actually got a good point.  Unfortunately, his use of “security circus” is going to be read as the whole security community, when he is actually referring to the lunatic fringes at both ends of the “disclosure” spectrum.  There are those who still cling to the outdated and disproved dogma of “security by obscurity,” and there are the self-promoters (with egos the size of the MS Windows Vista source code) who are eager to trumpet any little flaw they find as a “security” vulnerability.  Those of us in the trenches have been trying to keep vendors and consultants from using these arguments on the uninformed for years.  Linus is saying the same thing.  He’s as frustrated as we are, and for the same reasons.  He just uses more sensational phrases.

A few media sources seem to be picking up a press release from the University of Michigan.

http://www.ns.umich.edu/htdocs/releases/story.php?id=6666

This reports on “CloudAV,” a project and series of papers about having antivirus  etection run “in the cloud” rather than on the PC.

http://www.eecs.umich.edu/fjgroup/cloudav/

As usual, there seems to be some misunderstanding about what is going on here.   CloudAV is not really a new approach, it is simply the use of multiple scanners, which the  AV research community has advocated for years.  It’s like having a bunch of scanners installed on your desktop, or a system like Virustotal, with the exception that the scanners run on different computers so you get a bit of performance advantage (absent the bandwidth lag/drain for submitting files to multiple systems).

You wanna know why I’m pedantic about malware terminology?

`United Kingdom banks and other financial institutions are being warned to be extra vigilant following the release on the internet of a new so-called “PC super bug” designed to steal online banking log-on details on an unprecedented scale. Cyber criminals have let loose a virus called Limbo 2 Trojan, which, according to security experts, is an extremely nasty bug developed specifically to worm its way into finance websites in order to cause maximum damage.’

So far, aside from the rather ill-defined reference to a “PC super bug” I don’t have all that much of a problem. A trojan could be designed to “worm” into the system.

“Security firm Prevx said the difference this time is that the new bug has been developed specifically to evade the vast majority of anti-virus computer systems. Such systems are devised by global IT security firms including McAfee, Symantec, and AVG. Finance houses all over the world rely on them to provide adequate protection.”

Hmmm. What we have heah, is a failyuh to c’mmunicate that we are trying to badmouth our competition.

“It is estimated that a single data breach can cost a big firm more than £3m to rectify.”

Ooooh, scary.

“Prevx reported that the Trojan bug features a changeable shell with a pliable cloak coming in many guises and variants to try to fool security systems and slip past conventional signature-based anti-virus detection.”

Can you say “polymorphic”? Can you say that we’ve already dealt with polymorphs, as far back as 1987? Can you say that trojans, because they are non-replicative, don’t use ploymorphism because they don’t copy themselves? (Argh.)

“This involves illegal technology that generates fake information boxes on a compromised computer, asking the user to enter more information than usual. While this is happening, passwords, credit card information and other personal details are transmitted to the malware’s criminal operator to then exploit financially.”

Gee, sounds like phishing.

http://business.scotsman.com/bankinginsurance/ Banks-warned-of-computer-39super.4328710.jp

Let the reader beware of a) vendor press releases, and b) newspapers that uncritically print vendor press releases as news.

I’m a dinosaur.  I freely admit it.  I use computers for far too long.  I use programs for even longer.

My word processor of choice is WordPerfect.  Version 4.2.  It does what I need, since most of what I do in terms of writing has to do with actual writing.  In other words, words.  Text.  I don’t care much about graphics, desktop publishing (does anyone even know what that means anymore), or mindmaps.  I’ve been using WordPerfect since 1985, although I admit I’ve moved up from 4.1 to 4.2 in the early days.  My wife uses a much more advanced version: she uses 5.1, since she does more with actually printing stuff out.
Over the years I’ve had to learn a few tricks to get WordPerfect to run, and print, with various versions of MS Windows.  (I’ve actually got a copy of WordPerfect Office 8 for Windows around, but it really was kind of a step backwards, so we’ve never really used it.)  Recently the (very old) HP LaserJet 4L that we’ve been using (for quite some time) started printing messy pages.  It was the advice of people in the printer biz that it would be cheaper to buy a new printer than to have the old one cleaned.  Since a new HP LaserJet P1005 was slightly less than $60 (getting a USB cable for it cost almost half again as much, and getting a new cartridge for the thing is even more) this seemed to be the case.

So, my Scottish soul bemoaning the fact that I was sending an almost-perfectly-good printer to the recycling centre, I got a new printer, and installed it.  The print quality is fine (slightly better than the old machine) and it even prints faster.  Under Windows, it’s just fine.

As I said, I’ve had to learn a few tricks over the years to keep the old proggie printing, so I knew about “net use lpt1:.”  DOS programs want to use the old parallel and serial ports, and desktop printers don’t come with those ports anymore: they all use USB.  So you have to install the printer, and then fake DOS out by redirecting the LPT1: output to the installed printer.  Set it up, fired up WordPerfect for a test, and tried a page.  Nothing.

Opened up the print queue and watched.  Job went to the print queue all right, stayed for about a minute, disappeared without an error–and nothing came out of the printer.  “Net use” is obviously working, but the printer isn’t.
Asked for help from HP.  Got back a message saying to turn on Microsoft Loopback Adapter.  Even had detailed instructions on how to do it.

Trouble is, MLA is only useful if you haven’t got any kind of a network.  The “net use” stuff won’t work if you haven’t got a network, so using MLA kinda pretends you’ve got a network, so the redirection stuff works perfectly happily.  (Is it just me, or is there something wrong with a technology that requires you to hack your own system to use basic and normal functions?)  Since everybody who has a high speed connection to the Internet these days (and that is a pretty large majority) has a “local” network, MLA is pretty much unnecessary.  So I replied back to HP thanking them and explaining
why their workaround didn’t help much.  Got back a snarky reply saying that they were just trying to help, and telling me to do it again.  No help from HP, then.

Turned to friends.  (Probably where I should have started in the first place, right?)  Got some suggestions to use PRN2FILE (old and free), DOS2PRN (newer and shareware), and Printfil (newer and very commercial).  All of these basically do the same thing as the “net use” command, so they didn’t help very much.

Another friend looked to the online documentation at HP.  (You don’t get any documentation with printers anymore.  Not even for the installation.  If I hadn’t installed an HP combo scanner a few years back I wouldn’t even have known that you have to install the software and start the setup running before you connect the printer.  HP doesn’t even include a sheet telling you that anymore.)  As far as he was concerned it should work, since the printer I had did support the HP PCL.  Unfortunately, the documentation isn’t very good on versioning.  You see, there is not only an HP LaserJet P1005, there is also an HP LaserJet 1005, as well as an HP LaserJet 1500 series.  The HP LaserJet P1005 doesn’t have PCL.  I’d bought a (*&^@#+”~ Winprinter.

OK, that’s it. right?  Game over.  You can’t make a Winprinter, which basically expects a bitmap from MS Windows, to print anything else.

Not quite.

Enter yet another friend with a pointer to http://www.columbia.edu/~em36/wpdos/winprint.html#usbprint.  Good old Columbia U.  (Good people at Columbia.  They brought us Kermit.  You’ve never heard of Kermit?  Kids these days …)  Starting there, I eventually found http://www.columbia.edu/~em36/wpdos/v5macroanyprinter.html.  I mean, how particular do you need to get?  Not only is it specifically for WordPerfect version 5.1, it even has a Ghostscript printer driver, and the macros to make it all happen with one keystroke.  Beauty job, guys.

I should also mention the Ghostscript and Ghostgum people.  I’ve actually been aware of those programs for some time.   I used to use them for reading PDFs, since it was generally quicker and more useful to use them than the Adobe reader products.  (I haven’t been able to turn WordPerfect docs into PDFs just yet: something odd with the GSviewer macro, but at least I know it’s possible.)

There’s always more than one way to skin a computerized cat …

http://news.bbc.co.uk/go/em/-/2/hi/uk_news/7456216.stm

“Lawyers for Glasgow-born Gary McKinnon told the House of Lords US authorities had warned him he faced a long jail sentence if he did not plead guilty.

“The systems analyst is accused of gaining access to 97 US military and Nasa computers from his London home.

“Known as Solo, he was arrested in 2002 but never charged in the UK.”

So far, so bad.  Breaking into computers has very little justification, and “just having fun” isn’t exactly a defence.  However:

“Without co-operation, the case could be treated as a terrorism case, which could result in up to a 60-year sentence in a maximum security prison should he be found guilty on all six indictments.

“With co-operation, he would receive a lesser sentence of 37 to 46 months, be repatriated to the UK, where he could be released on parole and charges of `significantly damaging national security’ would be dropped.

“A US embassy legal official quoted New Jersey authorities saying they wanted to see him `fry’.”

This bothers me.  A lot.  It’s too much like security theatre, as well as being flat-out immoral.  He did something wrong: he should be punished.  But he should be convicted properly, and punished appropriately, not intimidated into pleading guilty in order to inflate someone’s prosecution records.

The lead article/editorial in Bruce Schneier’s latest CryptoGram (http://www.schneier.com/crypto-gram.html) points out the foolishness in warning people to beware of terrorists taking pictures.  Millions of people take billions of pictures every year for legitimate or innocent reasons, and the major terrorist attacks have not involved terrorists walking around taking photographs of the targets.  It doesn’t make sense to try and protect yourself by raising an alarm about an activity that is probably (*extremely* probably) not a threat.

Rather ironically, the second piece talks about the fact that your laptop may be searched when you fly to another country, and the advisability of laptop encryption.  Leaving aside privacy and legality concerns, Schneier is for encryption.

Now, I don’t fly as much as some, but more than many.  Since I’m a security researcher, I’ve got all kinds of materials on my laptop that would probably raise all kinds of flags.  I’ve got files with “virus,” “malware,” “botnet,” and all kinds of other scary terms in the filenames.  (I’ve got a rather extensive virus zoo in one directory.)  Nobody at immigration has ever turned a hair at these filenames, since nobody at immigration has ever asked to look at my laptop.  (Even the security screeners don’t ask me to turn it on as much as they used to, although they do swab it more.)

I’m not arguing that people shouldn’t encrypt materials on their laptops: it’s probably a good idea for all kinds of reasons.  However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.

A recent survey revealed that 57 percent of Americans fear that their account passwords will be stolen when they bank online, and 38 percent do not trust online payment processing, banks and other ecommerce services. […] Justifying consumer concerns, 21 percent of the respondents in the survey said they had already had their bank data stolen. 40 percent of consumers who took the survey said they would buy more online if the security was strengthened. Another 44 percent of people said that online credit card processing worried them.

Source: http://www.prweb.com/releases/2008/4/prweb851444.htm

Customer satisfaction with online banking sites has risen significantly over the past five years. […] The reading of 82 was higher than customers gave banks overall – 78 in 2007 – suggesting they are more pleased with banks’ online operations than with branches and call centers. […] The survey measured customers’ experiences with three types of financial institutions – banks, credit card companies and investment services firms. Banks got the highest score out of the three financial categories.

Source:
http://news.yahoo.com/s/ap/20080415/ap_on_hi_te/online_banking_survey[…]

Recently, there has been a great deal of concern over the rise is prices of common staple food grains.  A frequently cited cause for this price jump is international speculation in commodity markets, and the disproportionate aspect this can have on the price of the commodities themselves, quite apart from the usual cycles of supply and demand.

What fewer people may know is that the UN declared 2008 as the international year of the potato.  (They did this, of course, some time ago, so the contrast in notions becomes even more intriguing.)

There is some irony in that, but it gets better.  (Both from the perspective of irony, and from the point of view of useful analogies for infosec.)

The potato (the “humble” potato, as it is frequently described) is suitable to a great many climatic conditions, and is generally more productive than grain crops (and *much* more productive than meats, etc.)  It is also surprisingly nutritious.

(Ah! I hear you cry, what about the Potato Famine?  Well, in that case the potato was, oddly, a victim of its own success.  We know, or should know, the dangers of the monoculture, which was what led to the famine.  [And that topic has relevance to infosec as well, but it has been amply discussed elsewhere.]  However, what is less well known is that the introduction of the potato, 250 years prior to the famine, led to a 5-8 fold increase in the population of Ireland over those twenty-five decades, due to an increase in both food source and in nutrition.)

So, what about world food crops, commodities, and skyrocketing prices?  If we convinced people to grow potatoes, wouldn’t we just become dependent upon potatoes, and then there would be speculation in potato futures?  Well, oddly, it seems not.

Grain, when harvested, is fairly dry, and can easily be dried even more for storage and shipment.  And, to pretty much anyone except a pasta maker, wheat flour is wheat flour.  You can make any product you want out of basically any flour you can get.

Potatoes are wet.  They get used fresh, for the most part.  (The technical advances in producing dried mashed potatoes seems to parallel that or artificial intelligence: there is a lot of interest, and a lot of work, but those who have tried the results can tell you that there is work yet to be done.)  Also, people who use and eat potatoes tend to have preferences.  (And there are a great many varieties of potatoes.  Remember that monoculture bit?)

It seems that potatoes are one of the few staple crops that are resistant to commodity markets (however susceptible it may be to the blight).

So, what’s the point for infosec?  Remember the lessons of security architecture.  Build your architecture based on resilient and resistant technologies, not on the most popular.  It’s not a new lesson: it rests on the foundation of risk management which should be foundational to all security.

I didn’t read Schneier’s Wired article (http://www.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatters_0419) until it came out in his newsletter, but it struck an immediate chord.  He was commenting on Akerlof’s work proving that, when vendors know a lot more than buyers, the marketplace ends up flooded with bad “goods.”  (http://en.wikipedia.org/wiki/The_Market_for_Lemons)  (He doesn’t mention Gresham, who showed that items of inherent value tend to disappear from the market (http://en.wikipedia.org/wiki/Gresham%27s_Law).)

As a reviewer of security books, I see this all the time.  It takes time to write a book.  It also takes time to learn something of value to put into a book.  So it’s a lot easier to write a bunch of nonsense and sell it.  After all, almost by definition, the people to whom you are selling the books will not know the difference.  If they could tell the difference between good advice and bad advice, they wouldn’t need any advice.

I’m also seeing the same thing in conferences.  Conferences are expensive to organize.  And, increasingly, conferences are organized by professional event companies, not anyone who really knows or cares about the topic.  Therefore, it is easier and cheaper to get vendor representatives as speakers for the events.  (Generally the vendors are only too happy to send their people, and will pay all the expenses, and sponsor something for the conference as well.)  People who actually know something probably don’t want to pay their own way to speak at these things (or can’t), or can’t be bothered to jump through the hoops held out by the event companies.

It’s been a while since I got out to the trade seminars. You know, marketing’s traveling bumpf show, where they trot out the VP of sales, plus a “security evangelist” or somebody with some such title (who has a technical background, but likes schmoozing more than doing actual research). I used to go to lots: it’s a good way to get up to speed when you first enter a field, but the law of diminishing returns tends to set in real fast in terms of actual information.

There were actually two that I signed up for this week. SANS had one, and I’ve never been to any SANS stuff, so I went to that. Intel also had a real dog and pony show, with extra associated vendors. When I get home from these things, Gloria always asks me whether I’m glad I went.

I’m glad I went to the SANS show. Didn’t get much out of the presentation itself. But the style of the presentation was intriguing: an awful lot of “cute stuff” demonstrated, without much actual information being relayed. The attitude of the presenters was also interesting: they were definitely in it for the cash.
(more…)

If you don’t know about the Julie Amero case, you probably should. The case says all kinds of disturbing things about authorities who don’t take responsibility for the technology under their control, prosecution on the basis of public outrage, total failures of forensic procedures, and media witch hunts. The case has been written about all over the place. Here’s a recent sample:

http://www.internetnews.com/bus-news/article.php/3668451

> All she appears to be guilty of is being utterly clueless about computers.

This seems to be an all-too-common theme. While I think we can all appreciate the support, in terms of outrage over the conviction itself, I wish people wouldn’t keep sounding the “clueless” drum.

(If you don’t have any background on the case, then you’re ignorant of it, correct? You might want to do a search on “Julie Amero.” I’ll wait.)
I recall, way back when I was first getting involved with info tech, an editiorial in “The Computing Teacher” (as it happened). It stated that, even if you didn’t have a computer, the simple fact that you subscribed to the magazine meant you were more tech savvy than 95% of your colleagues. (It was undoubtedly correct.)

Most people only *think* they know about computers. OK, so these smart-alecs know that turning off a monitor means you don’t turn off the computer. Good for them. (I can recall working on machines where, if you did turn off the monitor, you lost the session. Guess who’d be laughing at the smart-alecs in that case …)

I work in some fairly esoteric areas of technology. Any of the bloggers, and even tech rag columnists, that have made comments about cluelessness (on the part of Julie, the school, or even our good friend Mark) would be similarly woefully ignorant of things I take for granted. Everybody is ignorant, only on different topics (to quote another Mark).

I’d say that one of the important points to be made about this whole situation is that society at large is clueless about the technology that is increasingly important in all of our lives. And that includes those of us who supposedly know about it …

OK, once more. (We, in the AV research field, have been through this endlessly, particularly with Doren Rosenthal back a decade or so.)

Finding “fake” viruses doesn’t prove anything. (How do we know what CR created were really viral? ISE’s involvement is promising, but not definitive. And CR has never shown any particular aptitude for technology, although I always read up on their reports when I’m buying a new blender.)

Creating “new” viruses is a no-no in the AV research field. Yes, it’s a knee jerk reaction going back to the time that the creation of any new virus was a cause for alarm, but nobody has ever any benefit from writing viruses. Ever. (Yes, I’ve heard all the arguments about teaching people to write viruses so they know how
to defend against them, and even using viruses to fight viruses. Nobody has ever been able to demonstrate any benefit. Ever.)

Using “new” viruses to test AVs just means that you guessed closer to the winner’s heuristic algorithm than the others in the test. Doesn’t prove anything about the quality of the programs either way.

What it does prove is that CR was lazy about doing the testing. There are lots of ways to test AVs, but they all involve hard work. (Believe me: I did it for years, and I’ve published more tests of AVs than anyone else.)

For example, CR tells us a little bit about how they tested the stuff.

“We hadn’t seen any independent evaluation of antivirus software that measured
how well products battle both known and new viruses, so we set out to fill that
gap.”

Obviously they didn’t search very hard: my stuff is old, but it is still online. Also, testing is covered in detail in both RSGCV and VR. And Robert Vibert even did a self-published manual on it a few years back.

(Some references to the difficulty:
http://csrc.nist.gov/nissc/1996/papers/NISSC96/paper019/final.PDF
http://www.softpanorama.org/Malware/Reprints/virus_reviews.html
The latter was actually written by Alan Solomon: Sarah Tanner was a secretary at VNI or VB, I believe.)

In their explanation of how AV software works, they betray the fact that they haven’t done any research. There are, and always have been, only three basic AV detection measures: signature scanning, change detection, and activity monitoring. They only talk about signature scanning. (The comment that “[d]epending on the manufacturer, that process may take a few days” is interesting: even Fortinet,
which does AV as a sideline in its firewalls, was looking at a 1 hour turnaround three years ago.) The mention of heuristics also betrays a lack of awareness:
heuristic scanning is a static form of activity monitoring, and it isn’t the only “generic” AV (although it is currently the most popular form).

“To see how quickly software makers update their signature lists, we gave all of the products Internet access. Then we spent weeks closely monitoring each product and noted how early, if at all, the manufacturer equipped it to detect newly discovered viruses.”

This is interesting. It’s too bad they don’t go into more detail: it is the type of info that could, in fact, be useful.

“To pit the software against novel threats not identified on signature lists, we created 5,500 new virus variants”

This, of course, is what everyone is talking about. Creating one or two carefully crafted viruses, aimed at threats which might be emerging but not widely used yet, might be interesting. Mass creation of 5,500 viruses means you do it in an automated fashion. Which means you use the same type of heuristic that the AV vendors do when creating their heuristic sigs. So, as noted above, whoever wins used the same heuristic you did, or you used the same one they did. Has nothing to do with what vxers do.

“Then we infected our lab computer with each of 185 of them to see whether the products could better detect viruses that were actively executing, based on their behavior.”

Weird. Need much more detail on this. Did CR infect its lab with real viruses? Or only the artificially created ones?

“Finally, to see how often the antivirus software raised false alarms by identifying benign files as viral, we scanned more than 100,000 clean files.”

Good. Did they also try to disinfect infected files? Did they try to disinfect non-infected files?

From the MSN report:

http://redtape.msnbc.com/2006/08/consumer_report.html#posts

“it took a handful of existing viruses and created hundreds of slight variants, changing the malicious programs just enough to evade detection by an antivirus program with a list of known threats.”

So you deliberately create the viruses based on how well they evade detection, and then use them to test AVs? Sure, that sounds like a good idea. And how well did the AV do that you were initially using to test whether or not they evaded detection? Where did you get your ideas on how to make new viruses that evade detection, old copies of Phrack? In fact, minor new variants are even worth testing. The real dangers are the completely new viruses, like a Melissa, LoveBug, or Blaster, using a completely new vector or function.

And, yes, if you do go to the page for the actual tests, all you get is a page asking you to subscribe.

Yup, sounds like a PR gimmick to me …

In teaching recent CISSP CBK seminars, I’ve had a number of people from banks and financial institutions in attendance. I have have, for some years, tended to make the statement that The-Powers-That-Be are not yet taking identity theft seriously enough, even if some activities are taking place. (I note that recent legislation in New Jersey, supposedly aimed at solving the problem, allows you to effectively destroy your credit rating. What kind of a solution is that?) (I’m not sure how easy it would be for someone else to use the system to destroy your credit rating …)

Here’s another example, this morning in the Vancouver Sun:

http://www.canada.com/vancouversun/news/story.html?id=ac57c581-6720-42ea-bb3d-e0ce211879b4&k=74972

The circumstances for the victim are, of course, appalling and distressing. However, the victim in this case has been active and on top of the problem. What seems to be outrageous is the inability of the various authorities to deal with the situation. One LE group only deals with identity theft if it involves large scale organized crime. A government entity seems to be doing nothing, even though it was their error that allowed the impersonation to take place to begin with. Nobody seems to have been able to catch up with the person perpetrating the fraud, despite the fact that they’ve got two addresses, a description, and at least one photograph, and the fraudster has been arrested once and suspected on another occasion.

A bank, alerted to the fact that fraud was taking place, and having been involved in closing out the defrauded accounts, within 24 hours changed, or allowed the fraudster to change, the new accounts so they went to the fraudster! (The bank did, eventually, replace the stolen cash. Which seems to be, quite literally, the least they could do, in the circumstances.)

The Sun has kindly provided a quiz and checklist for consumers to prevent identity theft:

http://www.canada.com/vancouversun/news/story.html?id=38b39642-632c-484c-986e-b314743c3bad

It’s rather amazing how few of the items on the list would have any bearing on the story in question.

(I particularly like the oft-repeated advice to shred any credit card applications your receive. All the credit card applications I get have lots of personal information: my name and address. Am I suppose to run around shredding all the unused telephone books in recycling bins?)

I review books.

I submit these book reviews to various mailing lists, where the topic is appropriate.

I also run mailing lists (on Yahoo, Topica, and now Google) that carry the full set of reviews.

Somebody keeps on subscribing “service@amazon.com” to my lists.

service@amazon.com bounces any traffic to it. It tells you to contact Amazon’s help Web site.

As anyone who has tried it knows, Amazon’s help pages are massively unhelpful. (They may be of some marginal assistance if you have placed an order that hasn’t come: not ever having purchased anything through Amazon I wouldn’t know.)

I keep removing and banning service@amazon.com from my lists. It keeps coming back.

I have tried contacting Amazon.com. It is impossible to get past the first level of what is laughingly known as “support.” Their position is that Amazon doesn’t do that. (It is not entirely clear that they have a firm idea of what “that” is.)

It is possible that someone has been spamming out messages using service@amazon.com as a return address. If that were the case, why wouldn’t the address show up on my (many) other mailing lists that are not directly related to books?

It is possible that someone has been trying to set up Amazon by trying to subscribe this address to my book review list. However, if that person were not associated with Amazon, how would they obtain the response that Yahoo (and other mailing list systems) sends back to confirm that the address is good?

It is possible that someone at Amazon, buried deeply enough in the IT area that they have access to the service@amazon.com account, is so technically incompetent that they neither know nor care how annoying this is. At the moment, that seems the most likely option …

Wearing my “glossary guy” hat, one of the things I’ve noticed is how difficult it is to come to complete agreement on the precise definition of many terms that are used in infosec. There are, for example, three quite distinct meanings for the term “tar pit.” (And that’s in terms of networking alone.) (It is highly unlikely that we will ever be able to reduce the number of tar pit definitions to one: all the definitions came at about the same time, and all are important and equally valid.)

However, what really irks me is when defined and agreed upon terms start being misused, sometimes to the point where the original term becomes useless. There is, of course, “hacker.” (And I’ve given Hal a diatribe about “zero day” which will probably be coming out in the next ISMH.)

The latest endangered term seems to be “rootkit.” A rootkit has been defined as programming that allows escalation of privilege or the option to re-enter the compromised system with greater ease in the future. Often rootkits also contain functions that prevent detection of, or recovery from, the compromise.

Starting with the recent Sony “digital rights management” debacle, the general media now seems to be using “rootkit” to refer to any programming that hides any form of information on a system, and specifically any functions that impede the detection of malware. The latest reports are that Bagle and other malware/virus families now contain “rootkits.” Antidetection features in viruses are nothing new: there was a form of tunnelling stealth implemented in the Brain virus 20 years ago. Therefore, to use the term rootkit to refer to this activity can only degrade the value of the term.

It has been difficult to ensure that infosec specialists can at least talk to each other and exchange useful information. However, this may not last much longer if our “precious verbal essences” become contaminated.