Erick Rudiak. Songwriter. Singer. Human.

Last week, Microsoft announced some changes to its monthly patch notification mechanism. What caught my eye the most was this:

In addition, as part of the company's ongoing effort to improve its guidance for customers, Microsoft announced its new Exploitability Index. Developed based on customer feedback, the Exploitability Index will provide customers with guidance on the likelihood of functional exploits being developed for vulnerabilities addressed by Microsoft security updates. This additional information helps customers better assess their unique risks and better prioritize deployment of the monthly security update.

I certainly commend Microsoft (and Oracle) for taking the bull by the horns with their approach to vulnerability patching. It's a difficult problem to tackle and the element of predictability they have brought to the table helps their customers. Delivering an "exploitability index" is another story, on the other hand.

It's attempting to answer an interesting and difficult question: "will this happen to me?" To make the example more real, let's ask "will lightning strike me?" To answer this question, we can look at some data that can shed real light on the question. The National Weather Service tracks lightning strikes. You can look at a map of the US and immediately tell what the likelihood of being struck by lightning is for your location; if you dig deeper, you can figure it out for time of year, trends in strike density, etc.

map from lightningsafety.noaa.gov

This data is considered reliable because it uses verifiable historical and geological information about the threat (lightning). Information security, unfortunately, does not conform to the same rules. While Microsoft certainly can make predictions about exploitability of an issue based on their undisputed expert knowledge on the subject, we simply don't have the luxury of looking back on years (or centuries) of data to support those assertions. This is not to knock Microsoft; it's simply that the threat changes so rapidly:

• It's not the same threat every time: buffer overflows in Windows Metafile Format this month, insufficient randomness in DNS query sequence numbers the next, etc.;
  
• "Unknown unknowns": the customer wants to know "will lightning strike me, here and now ?" and to answer that, Microsoft has to understand a staggering number of combinations of software (always), hardware (sometimes), and other mitigating controls (occasionally firewalls, device configurations, etc.); just recently, MS08-037 was revised several times after its initial publication in early July as more details about the interaction of the exploit and the fix itself became known;
  
• Exploitability inevitably changes over time. It only takes one lucky attacker to take a vulnerability from theoretical exploit to weaponized worm. ASLR protection in Windows Vista has been considered a great mitigating control against a variety of overflow attacks, yet at Blackhat 2008, a paper was presented showing how ASLR can be bypassed -- this fundamentally changes the "likelihood of exploitation" equation for an entire class of vulnerabilities, both past and future;
  
• For most vulnerabilities, the fact that there's a patch pretty much guarantees that someone has (or is working on) an exploit. Microsoft says it themselves:
  

  
  Along with the predictability of Microsoft's monthly security update process is the emergence of an undesirable cycle: the release of exploit code, related to those updates, sometimes within hours of release.
  

  
  
  

As a customer trying to decide whether or not to patch every month, I continue to applaud Microsoft's efforts to give me decision-enabling information. Alas, the Exploitability Index is a piece of trivia isn't tipping the scales on the decision for me. If I'm at the ol' swimming hole and I see a thunderstorm approaching, I'm going to get out of the water -- not so much because I've been reading the lightning strike density maps for my neck of the woods, but because I know that -if- I get struck, it's going to hurt. Similarly, as I decide whether or not to patch a given vulnerability immediately, I'm going to make that decision on the same factor: if when an exploit for that vulnerability is released, I want to know which data it's going to hit and how hard. I want to know how much it's going to hurt.

Stay tuned next week when I wax rhapsodic on "The Firestone tire recall of 2000 and why I don't care how long that SQL injection issue has been around."

For the first time in three years, I was unable to attend the SYMG High Sierra Singer Songwriter Adventure. I made many great friends on those trips, and it was a gut-wrenching decision not to go this time around. Every year, each member of the gang would write a song with a common title. In 2006, it was "Collapsible Plans"; last year, it was "Raining Gravel". This year, it was "Paradise Pie", and though I wasn't able to join the trip, I did birth a song with the same name, just to make myself feel a little bit better. I even got to stamp another location on my songwriter passport with this one (hint: look around Cuba).

Listen here:
Paradise Pie MP3 (click here to read along with the lyrics).

It was nice to have fans recording the Brothers K show last month, though it does imply a much lower margin for error than usual. I finished the show with Creator (a.k.a. "Reputo Pro Vestri").

My next, and probably last, tour date for the summer is the Underground Lounge showcase on Wednesday, June 25th at 9:00 PM.

First, a follow-up to A Tale Of Two Stories. That's the one where I suggest that my songs might have commercial value. I'm not quitting my day job, but I do want to make an open and unabashed call out to the folks at Uglydoll: if Cinko ever gets his own TV show or maybe even a commercial, this should be the theme song/jingle:

Cinko.mp3

Second, a follow-up to My Very Own OINY Moment.
I was going to be really excited about the Event Promoters Ordinance passing in Chicago, because that would have meant that cool acts like Mozart and U2 and Elton John would've had to play tiny venues in Oak Park and Evanston. But then the whole thing got tabled (to thunderous applause from the local music community, natch) AND I found out that Steve Poltz is touring the midwest and had a night available to play in Evanston.

Steve and I will be playing songs and spinning yarns of epic ant battles on Wednesday, May 28th, starting at 7:00 PM. All this will happen right here in Evanston at the inimitable and unsurpassed Brothers K Coffee. Donations (preferably in Euros, but we'll take what we can get) are encouraged - baristas have needs too, you know!

My next attempt at "playing for a hostile crowd" will be at Hotti Biscotti, opening for blues rockers Mike & The Michalaks. OK, it's actually The Mike Michalak Band, but I'm going to be up front requesting The Living Years anyway. Mike's cool that way. Showtime is 9:00 PM Friday, May 2nd.

Over the past few weeks, a lot of people have been telling me that I need to see Once because, you see, I'm a singer-songwriter and it's about singer-songwriters. I couldn't figure out why they did not also tell me to see From Russia With Love on similar grounds, but I trust my friends and I tend to agree with The Regular Guy and The A.V. Club, so I rented Once this weekend.

The story is certainly engaging and resonant, the songs are strong and the depiction of the songwriting and recording process (yes, there is definitely a "car test") was refreshing, if a bit treacly. But I couldn't help wondering how much having heard an hour of Glen Hansard on Sound Opinions helped me along while watching the movie. Knowing what I did about the history of the movie made it easier to get into the music and the story and not be distracted by the question of whether these were actors playing musicians or musicians playing actor (if you haven't seen the movie and it matters, try not following the link, OK?). It also helped knowing just enough about slavic languages to have a good guess at the key phrase in the second act, although I have to agree with the director's decision not to subtitle the Czech.

All of which, ultimately, tells me that Once is a good movie but an even better DVD - the extra features and commentary help the movie make an intimate connection which is so critical to the songwriting and performing process. It is, in effect, the all-important banter inbetween songs that brings audience and artist together. Certainly, there are plenty of artists who can walk on stage, say nothing at all, and perform for 90 minutes and make it worth the price of admission. Elvis Costello comes immediately to mind, though the last time I saw him at the Chicago Theater, he did take time between songs to respond to someone in the crowd by announcing "I will not play [expletive] Veronica." It was still a great show with great artistry and I'm glad I saw it. For my money, though, there's something about a show with a storyteller that takes artistry to a new level. Some shows don't need it, and I don't think I'm going to start watching movies exclusively with the DVD commentary on from now on. But I will continue to hope that, if I've discovered a new musician whose songs I like on the radio or online, they'll tell stories about them when I go to see the show. Once was helped by it quite a bit.

P.S. Shotgun Stories was the best movie I saw in 2007 (that was released in 2007). The intensity of the third act was impressive, given the understated tones of the entire movie throughout.

Hey, gang. Hope you're having a great new year. I've created a slew of songs
that have led a truly sheltered life here in the little hamlet of Evan's Town -
they lie on the couch drinking homemade izzes, or maybe they go hiking and
munch roasted marshmallows by the fire. It's about time they saw the harsh,
real world out there, so I'm taking them out to Lilly's in Chicago on Friday,
January 11th. They'll face the harsh reality of an unfamiliar public, a dark
room, and the threat of merely-conditional love. Won't you join me and help
them feel a little bit at home? I knew you would :-) $6 gets you into the
song-desheltering party at 8pm-9pm, with nu-jazz outfit Project 99
following.

Unrelated to the changing kilogram (although, frankly, that's a much more interesting story), changing meter is a too-rarely-used songwriter trick: start out as a rock song, finish a waltz. Of course, it's not a maneuver that's confined to the singer-songwriter genre. Otherwise, orchestras would have drummers and not conductors. But it's something that always catches my attention, particularly when it's done well. I've had mixed success myself: Reputo Pro Vestri is an example of a nice, smooth transition (5/6 in verses, 6/6 in choruses); my collaboration with Luke (3/4 verses, 4/4 coda), not quite as much.

» Read More

The photo above was taken in St. Petersburg in 2004, just outside the Mayakovskaya metro stop. The sign next to the box of kittens read something to the effect of: "Please help, we need money for our medicine. Meow." Why boxes of kittens aren't an Internet meme yet is only a minor mystery to me. I'm willing to do my part, though.

World, welcome Box Of Kittens, the song!

This was the best that my daily vigil of keeping-up-with-the-wacky-world-of-security generated today:

• The bad guys are using clever channels to communicate!
  
• If you have unpatched vulnerabilities on your machine, browsing random websites will lead to nothing but trouble!!
  
• If you're on a shared network and you're not encrypting traffic that matters, some nefarious malefactor may already be using your account!!!
  

One thing I've learned over the years is that it helps to know your audience (which is why this blog is 90% songwriting, but I digress...). Observation #1 about the audiences of the three publications above: odds are, they've been online long enough to know about the perils of patch management, unencrypted data and botnets. That's been drilled into us from all angles, including the aforementioned trade press. Observation #2: odds are, that audience is largely corporate in nature (i.e. not a lot of weekend computer enthusiasts working their ranches from sun-up to sun-down are glued to computerworld.com in their leisure time). Observation #3: the security story that's really going to scare that particular audience straight is that there's an unpatched SAP vulnerability out there. Cheers to infoworld.com for reporting it; jeers to all three for offering as news things we already knew back in 1998.