National Vulnerability Database and how further

Yes, the National Institute of Standards and Technology has created a great new database: the National Vulnerabilities Database. This database has over 20.000 known software vulnerabilities listed for a slew of programs. All the reports are built on the official CVE terminology. This is great, because it gives systemadministrators a known and trusted source on vulnerabilities for most of their software.

Though this is great I do wish we can take this initiative a step further. What I would like to see is a database where peoples home systems could check whether there are (security)updates for their software and hardware. We really really need such a system. I'll try to frame the problem and than I will give you an idea of my solution.

Problem
A growing problem in ICT security is that we get more and more intelligent systems connected to networks that one way or another can access the internet. Think of Tivo's, Mediacenters, Axis Network cams, DSL-modems, Wifi access points, Philips Streamium, set top boxes, fridges?? etc. All of these come equipped with their own embedded operating system, webserver for maintenance etc. This makes them very scary from a security point of view. If we're unlucky the software for these systems is buggy and can be exploited by hackers. Don't think it is not possible... Axis Network cams were hacked the moment they were hooked up to the Hacking At Large 2001 network. The trouble is we install these machines in our homenetwork and tend to never look at them again. We might take care of our home PC, but how many people update their ADSL modem or their wireless router? And the really bad thing is, where our pc nowadays notifies us that Windows or OSX needs to be updated, these machines stay always on and always quiet. They are the perfect target for hackers.

Solution
My solution is: Have all systems and all software on them register centrally with a local "hackable systems database" (need a cool name) with device name, type, software version and a hash of each of the current installed files . In an office setting this could be at the IT-department, at home this could be the home pc. This way you have a view of what is within your organisation and hooked up to the network. Now the "hackable systems database" could check with a central database and check the information it has on record to known vulnerable files and software versions. This way sysadmins and people at home can know automagically whether or not their systems are vulnerable. This system can also be used by the software and hardware to check whether there might be updates and update themselves automagically.

We're already doing this on one system. Debian apt-get is world renowned for it. Microsoft tries to the same. Now do it for the whole house/company.

Requirements

1. A standardized interface for systems and software to report their existence to one or more central systems ( "hackable systems database") on startup and/or when asked.
2. A standardized interface between the central database and the "hackable systems database"
3. A central database for software developers and system designers to report their software and subsequent updates to. My idea would be to organize this per economic region, much like the Regional Internet Registries. This way it feels more local to developers, which might help them report their software. NIST and the European Network and Information Security Agency seem like good candidates.
   
4. A low barrier to register the software and the updates, but with good security. The system should be free to use, so a good task for governments.
5. A cool name! TWAIN is already taken... but something like it... people should want it!!
   

Who should do this?
Industry together with standardization institutions like IETF, NIST, IEEE and security organisations like CERT's and ENISA.

Update: Saw a great presentaton by Michiel de Bruijn who goes into the underlying problem: Everything You Know About Client Security Is Wrong (Or: What It Would Take To Build A Secure OS Your Mother Could Use) He goes into the underlying errors on computer system. Follow the link

Watch Out! Scientology about!

Just a warning to all, it seems that my previous posts attract Scientology ads. Scientology is not an organisation I support. Actually my opinion of them is quite negative, espescially for their continued lawsuits in the Netherlands to restrict free speech. Just look up Fishman Affidavit on the internet. I do like this case for one reason only and that is that it has generated good solid jurisprudence, which is still benefitting us all now. For more info

Scientology has all the traits of a cult and therefore has appeared negatively in the press on an almost continuous basis. It has been accused of brain washing, harassing, misinforming etc etc. It also has major problems with dealing with criticism. All in All something to stay away from. The ads are for Scientology Volunteer Ministers, which seems to be a latest way of getting into the public view positively. Make up your own mind, but I have made mine!

Avantgarde and the Fringe

The Rotterdam Film Festival is now happening in Rotterdam. Last Sunday I saw a poster there for a debate on whether it was nescessary in the movies that there is such a group of people as an avantgarde. One of the guys on the panel was the Russian director Ilya Khrzhanovsky. He is responsible for the movie 4, which for some reason or the other brought him in conflict with the Russian authorities (we're almost back to the good old days). Friends of mine have seen the movie at the festival and reported that it was dreadful and that a large part of the audience walked out during the movie (these are art festival people, they can stomach something). All in all the movie shows Russia is a crap place to live in. This we knew already, so sorry for spoiling the ending, but be glad I saved you from the movie.

The debate got me thinking. In it's own, the debate is irrelevant, yes we need an avantgarde, plain and simple. We need people to do new stuff that we later on want to immitate and improve upon. Avantgarde is the military term for the advanced troops. It are the people you want to follow, the elite, the Navy Seals, Golan Troups, Green Barets of the art world. They do the stuff the normal army grunt would want to be able to do. In art terms, the avantgarde are those directors, actors, painters , sculptors, dancers who do stuff you and I wished we would do and think off.

Next to the avant garde and us grunts, there are two other groups. The guys at the rear, the cowards, they are uninteresting loosers, best left for painting gyspy boys with tear and filming teenagers movies. And then there is the fringe. The fringe are all those people who sit in the bar bragging about theirwar stories and how they should be, could be, have been an avantgarde Green Baret, Special ops artist. Even if they ever were, now you wouldn't want them to be your buddy in the fight. They are the most pitiful people always talking, never performing. The trouble is how do you recognize the bragger from the real deal. In my opinion it is this: If other people and artists talk about your work for its contents, your avantgarde, if they talk about it because of the uproar you created with politicians etc. you're fringe.

There are systems that record victims

Well I finally did a bit of searching and there are systems available that record victims. It was ofcourse presumptuous of me to think there might not be. A Japanese group has build a system. Their presentation to ETSI can be found here. It has a great name: I Am Alive. This system seems to be currently in use by the Thai governement and Red Crossat this moment.

The Australian governement has a system which is described here by the Red Cross which is using it. The system is called the National Registration and Inquiry System (NRIS).

I have seen the results of the the I Am Alive-system and it looks like an excellent system. It would be great if they could get some global support to further develop this system. At this moment it seems only Japan is working on this system and a quick search on Google didn't point too many English language pages on the system. I'll see if I can find some information on it.

I imagine every ministery of Interior, or government emergency response organisation should have a copy always ready and available on a webserver. So whenever there is a disaster this system is already running and can be used to register all the countries nationals potentially involved and can then later be used to compare these data with the records of the country affected. Maybe the United Nations Reliefweb website could be used as a basis.

System to help out after disaster

Just sent this to Ask Slashdot. Don't know if they are going to pick it up, but you never know. I might work out the idea in a later post.

Like everybody I am following the news on the tsunami and I noticed a couple of things that got me thinking. After a disaster there are generally two major questions that need to be answered. 1. Who survived, got injured, died, is missing? 2. What relief is needed, where and who provides it? My question is, does anybody know of easy to use information systems that support the answer to these questions? It seems there are no good systems around/being used to support helping out with the first question. The second one I hope the UN has something, though I have an idea it could do with some helping out/updating.

At this moment I notice that the missing persons website in Thailand has a girl I know twice on record, once with a typo. It is very slow and doesn't seem linked to the hospitals because her husband who is injured in a hospital is listed on another website. Each countries Ministry of Foreign Affairs seems to keep its own list of missing persons. This is not only a problem with big transnational disasters, but also was a problem with 9/11 or even airplane crashes and smaller scale national disasters.

I think an easy to set up off the shelve system might have great benefits to help solve the first question and help all the relevant authorities and put peace to the minds of parents and friends. If it is build in an open source kind of way with the possibility to run it on a variety of databases/systems and also be easy to adapt to all kinds of national languages. While typing I get all kinds of ideas on how I would want to design it, but that might be something for my Blog.