Roy Firestein

Security Feeds

Archive for June, 2009

Everyone’s Talking working with producer David Bottrill

June 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

I’m very excited to announce that my band Everyone’s Talking is working on its next release with Grammy award-winning producer David Bottrill. David is best known for his work with the band Tool, producing three critically and commercially successful albums for the group. His credits also include Muse, Peter Gabriel, King Crimson, Coheed And Cambria and many others.
We are heading into the studio next week to start recording the yet-to-be-titled 6-track mini album. The songs on the album will range from solid rock tunes to progressive epics with instrumental madness. We hope to finish everything and have the album out by September. Here’s the tentative track listing.

1. Dragonflies
2. Silent Crime
3. War (Part 1)
4. War (Part 2)
5. Between You And Me
6. Lady

Stay tuned for more updates, and some studio goodness that I will be posting from my twitter.
Can’t wait to share everything with you!

Dani

Share/Save/Bookmark

Analysis of the Legality of Downloading in Canada

June 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Slaw guest blogger Neil Melliship of Clark Wilson LLP canvasses the law to assess the legality of downloading music in Canada.

Security 2.0 is not even a failure.. It is a nightmare.

June 29th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Web vulnerabilities are lame and web developpers too. We all know this.

And here is what you can read on @britneyspears twitter.
britneytwitter

Basically, TwitPic allows Twitter users to upload + post pictures on their Twitter status. How? You have to login on the TwitPic website with your login+password, then upload your picture and that’s it. According to their Twitter feed they have more than 2 millions users and as you can see they users who own a verified account like @britneyspears with more than 2 millions followers. For your information, a verified account can be recognize by the following icon: d and they have from 10k to 2millions followers.

There is even a feature which allows you to twitt picture from your phone if you mail the following address: username.XXXX@twitpic.com

XXXX stands for the PIN code. This is obvious that 4 characters is A HUGE MISTAKE from a security point of view. But the most funny thing is…. this PIN code is 4 DIGITS code. Yes, 10^4 only… I am crying blood. Im crying tears from my eyes that i can’t deny and i am falling like a comet from the broken sky.

#1 This is a shame from a security point of view. This is not even 62^4, this is 10^4.
#2 They store both login + password (either in plaintext or using a reversible algorithm)

By the way, TwitPic is NOT even a departement of Twitter Inc.
If you look at the terms page, it looks the HQ address of TwitPic is that:

Twitpic Inc,7736 Farr St Suite 907, Charleston, SC 29492

which is different from Twitter HQ

Twitter Inc., 539 Bryant Street, Suite 402, San Francisco CA 94107.

Twitter has advanced search feature so it is not really hard to find potential victims
http://search.twitter.com/search?max_id=2387073237&page=3&q=http%3A%2F%2Ftwitpic.com%2F
or you can still look what is the client used by Twitter user. You should read something like: “from TwitPic”

According to TwitPic, they are working on it. But the question is: How this kind of vulnerability is possible in 2009? Is that what people call Cloud Computing Bullshit?
http://twitter.com/TwitPic/status/2383953236

We’ve implemented a fix for the email posting vulnerability, a full blog post explaining the issue will be released soon

We can walk on the moon, we made highspeed trains, people are working on Quantum mechanics AND WE CAN STILL FIND THIS KIND OF VULNERABILITY?

By the way, TwitPic is not even a departement of Twitter Inc.
If you look carefully at the terms page, it looks the HQ address of TwitPic is that:

Twitpic Inc,7736 Farr St Suite 907, Charleston, SC 29492

which is different from Twitter HQ

Twitter Inc., 539 Bryant Street, Suite 402, San Francisco CA 94107.

To conclude:

  • To conclude, Web 2.0 is even more than a failure. It shows you how much people can like Britney Spears, or how many of your Facebook friends are stupid enough to send you invitations to join 5 millions people in the “Join this group if you want to change the color of your name of Facebook.” facebook group.
  • People do not care about security and do not even know what does mean this word.
  • A PHP developer can buy a Ferrari writing a 2k lines website.
  • 2009 music industry is a failure.

And we are suppose to improve the way people can use a computer? To change their lifestyle and the world?

Work Begins on World’s Deepest Underground Dark Matter Lab

June 25th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Far below the Black Hills of South Dakota, crews are building the world’s deepest underground science lab at a depth equivalent to more than six Empire State buildings — a place uniquely suited to scientists’ quest for mysterious particles known as dark matter.

U.S. Searches of Laptops at Border Questioned

June 17th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

We’ve talked half a dozen times on Slaw about the United States Border Services’ practice of instituting suspicionless searches of travellers’ laptops, recommending basically that lawyers take nothing but a clean machine across the border.

Now the American Civil Liberties Union has made a formal request under the U.S. Freedom of Information Act for records setting out or touching upon policies establishing and governing this practice, as well as data as to the number of searches, the characteristics of persons whose devices were searched, and so forth. The official request adumbrates the ACLU argument that these searches may infringe the constitutional rights of travellers. There is also a press release that explains the ACLU request.

[via beSpacific]

iPhone remote code security exploit discovered

June 17th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Security researcher Charlie Miller and Vincenzo Iozzo, a student at the University of Milan, recently discovered a repeatable method to trick the iPhone’s processor to run unsigned code. The pair now plan reveal their work at the Black Hat Security Conference in Las Vegas next month.

There have been very few exploits for the iPhone thus far, since the iPhone’s security system generally prevents running arbitrary code. However, Miller and Iozzo discovered a method to enable a working shell, which could let a hacker do virtually anything within the system, including copying private data. Their method, combined with an iPhone OS exploit, has the potential to allow hackers to run virtually any code they want on the device. We talked to Miller to get some more details about how this is possible.

Shai Agassi: China Is EV Tipping Point

June 16th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Shai Agassi has come up with the 21st-century adaptation of that oh-so-20th-century line about GM: What’s good for China is good for the rest of the world.

Introducing the Warpship

June 16th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
astroengine writes “Dr. Richard Obousy, a guy who has put modern science into the warp drive, has designed his very own warpship. Now, for the first time, he’s shared it with the world. It might not be the sleek Starship Enterprise, but its structure has been optimized to harness local ‘dark energy,’ generating a warp bubble so faster-than-light velocities are possible.” Now, the only question is: will the ship achieve faster-than-light travel…or will the company hit those speeds once it has enough money from investors?

Read more of this story at Slashdot.

“Burning Walls” May Stop Black Hole Formation

June 16th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
KentuckyFC writes “Black holes are thought to form when a star greater than 4 times the mass of the Sun explodes in a supernova and then collapses. The force of this collapse is so great that no known force can stop it. In less massive stars, the collapse cannot overcome so-called neutron degeneracy, the force that stops neutrons from being squashed together. Now a Russian physicist says another effect may be involved. He points out that quantum chromodynamics predicts that when neutrons are squashed together, matter undergoes a phase transition into “subhadronic” matter. This is very different from ordinary matter. In subhadronic form, space is essentially empty. So the phase change creates a sudden reduction in pressure, forcing any ordinary matter in the star to implode into this new vacuum. The result is a massive increase in temperature of this matter that creates a “burning wall” within the supernova. And it is this burning wall that stops the formation of a black hole, not just the degeneracy pressure of neutrons. This should lead to much greater energies inside a supernova than had been thought possible until now. And that’s important because it could explain the formation of high energy gamma ray bursts that have long puzzled astrophysicists.”

Read more of this story at Slashdot.

“Burning Walls” May Stop Black Hole Formation

June 15th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
KentuckyFC writes “Black holes are thought to form when a star greater than 4 times the mass of the Sun explodes in a supernova and then collapses. The force of this collapse is so great that no known force can stop it. In less massive stars, the collapse cannot overcome so-called neutron degeneracy, the force that stops neutrons from being squashed together. Now a Russian physicist says another effect may be involved. He points out that quantum chromodynamics predicts that when neutrons are squashed together, matter undergoes a phase transition into “subhadronic” matter. This is very different from ordinary matter. In subhadronic form, space is essentially empty. So the phase change creates a sudden reduction in pressure, forcing any ordinary matter in the star to implode into this new vacuum. The result is a massive increase in temperature of this matter that creates a “burning wall” within the supernova. And it is this burning wall that stops the formation of a black hole, not just the degeneracy pressure of neutrons. This should lead to much greater energies inside a supernova than had been thought possible until now. And that’s important because it could explain the formation of high energy gamma ray bursts that have long puzzled astrophysicists.”

Read more of this story at Slashdot.

Green Dam stops a lot more than just Pr0n

June 15th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Let’s put filtering on the every computer in the country because we want to protect our 14 year old boys from seeing any inappropriate images, because that’s always worked so well in the past!  Or at least that’s what the Chinese government is saying about their new piece of ’security software’, Green Dam.  Like something as simple as a filtering software is going to stop a semi-intelligent teenager from finding pictures of women on the Internet?  And if it is somehow fairly effective, what’s to stop them from going out and finding a magazine or three?  Of course, all the talk about  ‘protecting our youth’ is just a smoke screen for having an excuse to put a program on the computer that stops any sort of activity that might possibly be considered subversive by the Chinese government. 

I find Green Dam interesting for two reasons.  The first is that this isn’t just a web traffic monitoring program; it monitors all behavior on the computer and will terminate any program that has ‘inappropriate information’ entered into it.  The example giving by Telecom Asia states that simply typing in ‘falundafa.org’ into Notepad is enough to get the program terminated.  Even if you’re not trying to get to the actual site, Green Dam is set up to stop you from having any sort of information including the URL in use on your computer.  I guess if you stretch your imagination a little bit, this might be something that’s needed to protect the youth of China from the corrupting influence of Falun Dafa.  Or if you’re cynical, it’s just another way the Chinese government is trying to make sure that anything even vaguely subversive never sees the light of day.

The other part I find interesting (and funny) is that it appears at least part of the code for Green Dam is completely stolen code.  Not that the company responsible for ‘creating’ Green Dam admits this as fact or even is willing to admit it as a possibility, but finding code and update instructions for Solid Oak’s product in Green Dam is pretty conclusive evidence.  Given that much of Asia has long held copyright issues to be someone elses problem, as long as it’s Asia that’s doing the stealing, this doesn’t really surprise me.  Unluckily, it doesn’t appear that any bugs in the original code have been fixed.

The especially disturbing part of Green Dam is that given the base of it’s code, it could easily be updated to monitor all traffic and activity on one computer or all of the computers that have it installed.  I have to assume that the Chinese government will have a mechanism already in place to update particular computers and begin monitoring and tracking everything that’s happening on the systems.  As if what they’re doing already wasn’t enough.


[Slashdot]
[Digg]
[Reddit]
[del.icio.us]
[Facebook]
[Technorati]
[Google]
[StumbleUpon]

PHP Logic Flaws.

June 14th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Today I want to show you a vulnerability[1] found in IceBB by __GiReX__ which was submitted to milw0rm yesterday. It is exactly such vulnerability that happens when programmers trying to invent their own security mechanisms without understanding all the pitfalls it can create. I thought it would be interesting to see how programmers are thinking and learning. Code block 1, that comes from IceBB, contains some interesting thought flow that led to SQL injection, exactly what the programmer wanted to prevent against.


94. function clean_string($v)
{
if(get_magic_quotes_gpc())
{
$v = stripslashes($v); <= magic quotes is OFF
}

//$v = htmlentities($v,ENT_QUOTES,'UTF-8'); <= first attempt
$v = htmlspecialchars($v,ENT_QUOTES);
$v = preg_replace("/&amp;#0*([0-9]*);?/",'&#\\1;',$v); <= new attempt

return $v;
106. }

When magic quotes are enabled, they first strip the slashes that are in the user supplied data. When the data is void from slashes, the code first attempt was to use htmlentities to prevent against SQL injection. Actually, one should use character entities encoding only on outputting data instead upon inserting data. Later on, it seems that this part was commented out for some reason, which led to the use of htmlspecialchars with the ENT_QUOTES constant that makes sure that all quotes gets translated to special chars. Then the data goes through a regular expression that places all data inside two single quotes.

So far so good? not quite. The problem lies in the understanding that backslashes can be used in MySQL to escape a character. In our case, we can insert a single backslash that escapes the last quote that was passed through preg_replace. This means that we now have an entry to inject a new SQL query due to the insertion of our backslash. Now, the general approach is to use mysql_real_escape_string() function, because it escapes all potential dangerous characters.

This is what happened in IceBB:

# "SELECT COUNT(*) as total FROM icebb_posts WHERE pauthor_id='{$icebb->input['author']}'"

# Setting author=\ in this query:
# "SELECT COUNT(*) as total FROM icebb_posts WHERE pauthor_id='\' "

Since it generates an error, we can't do anything with it. But, here comes some creativity. When we use two parameters to inject, we can re-create a proper but injected query.

For example:

# GET /index.php?act=members&username=a\&url=OR+1#

Became:

# "SELECT COUNT(*) as total FROM icebb_users WHERE user_group='a\' AND username='OR 1#' AND id!=0 ORDER BY username ASC"

It probably looked quite safe to the programmer who wrote it, but again it shows that programmers start programming without even considering such risks. While this is a logic flaw, it also is due to bad programming behavior. The reason for this is that programmers must learn not to invent their own security mechanisms. It sounds tempting, but it always turned out bad. Before this vulnerability emerged, I posted on the Synapse Wiki another logic flaw that I found a couple of times. In Synapse we aim to find such logic flaws.

Take a look at the code below, and try to figure out what is wrong with it:

str_replace(" ' ", " '' ",$value);

Do you see a problem?

The str_replace function here assumes that a single quote must precede a space. But if we only enter a single quote without a preceding space, the function cannot replace it because it cannot find the pattern that is given. For example:

$value = str_replace(" ' ", " '' ",$value);
echo "select * from foo where id = ' ".$value." ' ";

If we enter the below query part without a preceding space, it will successfully inject our new SQL query.

'OR 1=1--

These vulnerabilities might seem simple, but I saw them many times when I performed source code review. I hope this sheds some light on simple but dangerous vulnerabilities, they can be prevented by programmers that are focused on secure programming. Granted, it takes some time to understand it for some, but it is worth it. Because, somewhere down the road it will be exploited by someone with more time than you have to program the code. If you consider to write code that is released for free and to a great audience, please remember that you have to make sure that it is secure for those who use it. There is simply no excuse to make such mistakes, especially when your code previously had SQL injection vulnerabilities and proposed the above code as your fix. Everyone makes mistakes, over time I had my fair share also. But that doesn't mean that one shouldn't stay wary of these things.

[1] http://www.milw0rm.com/exploits/6137

Masking Malware.

June 14th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Over the weekend I thought about new ways in which someone can mask malware for the web. Today malware writers use a big chain of iframes and a mixture of code obfucation to hide their malware from webmasters, surfers and malware security researchers. And so I think it's important to investigate new ways of masking malware, because this can give everyone an edge of what is possible. I found two new ways of hiding malware which rely on a flaw and a feature of a browser and server respectively.

Masking Malware inside Internet Explorer 8 beta.

It is possible to hide the source of an application or a piece of malware in Internet explorer 8 beta by utilizing UTF-16 Big endian encoding. Big Endian and Little Endian refer to the order in which the bytes are stored in memory. The Windows architecture was mainly designed for Little Endian, and so forth some issues arise with software written for Big Endian architecture, and especially UTF16 Big Endian also called UTF-16BE. When changing a meta content-type charset to UTF-16, you can successfully hide malware inside MSIE8B as seen in example 1.

Example 1.

<meta http-equiv="Content-Type" content="text/html; charset=UTF-16" />

However, it is also possible to encode an entire file to UTF-16BE. This has the same result as setting the charset manually. One way of doing this is writing a function to encode it into UTF-16BE or use notepad in Windows and save a document as UTF-16-BE. Another method is use a server-side language to encode a string to UTF-16 as seen in example 2.

Example 2.

<?php

function utf16($str) {

$utf8 = utf8_encode($str);

if(function_exists('mb_convert_encoding')) {

return mb_convert_encoding($utf8, 'UTF-16', 'UTF-8');

} else {

return $str;
}

}

echo utf16('<iframe src="http://www.google.com/malware/malwarez.html"></iframe>');
?>

They all work when one wants to hide the source code of a page created for Internet Explorer. Firefox should render the page as well, but firefox seems to be UTF-16BE aware when parsing the source back to UTF-8 to display it as "source-code". Google chrome doesn't render the page in UTF-16LE at all.

Masking stylesheet malware.

As some of you know, XSS is also flavored into CSS which results in a bigger XSS attack landscape. Problem is, how do you hide a stylesheet? is it possible at all? the answer is yes. There is a header feature on many platforms that allow for a Link: reference. This means that it's possible to link content into a page through a response header. This way, the stylesheet will not be visible in the source code of a page, and thereby it is possible to mask a stylesheet for inexperienced security researchers. As far as I know only Internet explorer seems to deny a stylesheet sent through the response header.

<?php

header("Link: <stylesheet.css>; rel=\"stylesheet\"; title=\"style\"");

?>

Which is useful in Xsstc Malware, see this test: http://www.tralfamadore.com/test-xsstc.html from Wes Biggs

Conclusion.

Masking malware can be very important for attackers, for malware security researchers it can be a real nightmare. Sadly these two ideas aren't the only one. There are many more ways in masking malware, one thing I did not discuss due to my limited time window, is the use of OBJECTS. With OBJECTS it's possible to let OBJECTS perform like iframes, because they can hold different mime and content types like "text/html" for example that renders an OBJECT as an iframe. Again, posing another great risk for internationalization of web standards. Furthermore it is important to always check the response headers, because what you get sent back doesn't always is what it says it is.

HTML Control Without Javascript.

June 14th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
In some cases users turn off Javascript for some security reasons. HTML has limited scripting, in fact it has almost zero scripting capabilities. Well, that is only true if one discards the FOR attribute on a label element, part of form controls. I talked about this FOR attribute before and how to use it to trick users into uploading files from their computer secretly. Problem was it required Javascript. So I just thought about that FOR attribute, and since it binds a label to another element, it is in fact some sort of scripting right? or at least it's a kind of HTML logic that can be triggered if a user performs something on a element.

Turns out, that it's possible to submit forms with it, without Javascript. Useful, if you're into CSRF and all that. So what I did was the following: I made a HTML page and created a label and inside the label I placed the BODY of the page, containing HTML and text. Now, interestingly the LABEL and it's content is now the button itself through binding of the FOR attribute only invisibly. So, that means that when you select text or click somewhere inside the body, the binding becomes active, and the instruction to submit a form is executed without any scripting at all.

My only hope is that it doesn't create binding between OBJECTS and LABELS, as stated in the Forms RFC[1] where OBJECTS are also seen as control types along fields, buttons and other form items. That would mean that it would be possible to activate OBJECTS through binding labels to it.

Label binding example:

<label for="action">

<body>

Etymology of "Foo" 1 April 2001
When used in connection with `bar' it is generally traced to the
WW II era Army slang acronym FUBAR (`Fucked Up Beyond All
Repair'), later modified to foobar. Early versions of the Jargon
File [JARGON] interpreted this change as a post-war
bowdlerization, but it now seems more likely that FUBAR was itself
a derivative of `foo' perhaps influenced by German `furchtbar'
(terrible) - `foobar' may actually have been the original form.

</body>

</label>

<form action="http://www.google.com" method="get">

<input type="submit" id="action" style="display:none;">

</form>

[1] http://www.w3.org/TR/html401/interact/forms.html#h-17.2.1

Albert Einstein

June 12th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
“Try not to become a man of success, but rather try to become a man of value.”

Acoustic Black Hole Created in Bose-Einstein Condensate

June 12th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Researchers at the Israel Institute of Technology, in Haifa, say that they’ve created the sonic equivalent of a black hole in a Bose-Einstein Condensate which should allow the eventual discovery of Hawking radiation.

SHA-1 collisions achievable

June 11th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
“The researchers, from Macquarie University in Sydney, Australia, found a way to break the SHA-1 algorithm in significantly fewer tries than previously required. Although the hash function was previously believed to withstand attempts numbering 263, the researchers have been able to whittle that down to 252, a number that puts practical…

Addressing the elephant in the tubes

June 11th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Cisco recently released a report predicting massive growth in Internet video traffic over the next several years. Arguably the most provocative prediction made therein states that "global IP traffic will quintuple from 2008 to 2013."

The Internet, to borrow a line from Douglas Adams, is big. Really big. So an estimated 400% growth in its traffic in just five years is more than mild conjecture. The report goes on to assert that "Internet video is now approximately one-third of all consumer Internet traffic, not including the amount of video exchanged through P2P file sharing," which seems unlikely. Then again, when you consider the sheer infeasibility of accurately arriving at these numbers in the first place, any credibility of the report instantly deteriorates into that of a marketing brochure anyway.

Which isn’t to say huge growth shouldn’t be expected and welcomed; indeed, most experts agree that this Internet thing is here to stay. However, reports like this one, for all their abstract arithmetic, fail to address the ominous creep of artificial throughput limitations quietly (and not so quietly) being implemented by Internet service providers around the world.

Bandwidth caps have long been a burden of life in countries such as Australia and the UK, one which is slowly spreading to broadband subscribers across North America. Last year, Comcast announced an official 250 GB transfer limit amid much controversy regarding their definition of "acceptable use." Several Canadian ISPs have recently had their bandwidth throttling practices called into question. And of course there’s the utter nonsense undertaken by Time Warner.

With such miserly tendencies becoming the norm , Internet growth is sure to fall far short of Cisco’s predictions. The question now is whether pressure from network vendors and content providers will be enough to reverse the course undertaken by so many ISPs. There is no denying that the technology to support such increases in throughput is available, but can service providers be convinced to adopt it?

3 comments

Top 10 Ways to Provoke a Geek Argument

June 9th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Geeks, as a general rule, are pretty easy-going. We like to think things through, so passionate confrontations aren’t commonplace for us. When we get well and properly provoked, though, watch out! We won’t stop talking until every last point that we can think of has been made at least twice. So, what do you say to provoke a geek?

TEDTalks : Yann Arthus-Bertrand captures fragile Earth in wide-angle – Yann Arthus-Bertrand (2009)

June 9th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
In this image-filled talk, Yann Arthus-Bertrand displays his three most recent projects on humanity and our habitat — stunning aerial photographs in his series “The Earth From Above,” personal interviews from around the globe featured in his web project “6 billion Others,” and his soon-to-be-released movie, “Home,” which documents human impact on the environment through breathtaking video.

Links To Interesting Stuff

June 8th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

I have a ton of tabs open in Firefox about stuff I thought would be some sweet newschool-esque reading for everybody out there.

1.) Threat and Risk Mapping Analysis in Sudan
Not really about measurement and progress, but a fascinating look at “physical risk management” nonetheless:

http://irevolution.wordpress.com/2009/04/09/threat-and-risk-mapping-analysis-in-sudan/

2.)  I thought Gunnar did a great job on these two posts:

Begin The Begin, Cloud Security : http://1raindrop.typepad.com/1_raindrop/2009/06/begin-the-begin-cloud-security.html

Enterprise Security Priorities : http://1raindrop.typepad.com/1_raindrop/2009/06/enterprise-security-priorities.html

3.)  Simlar to Gunnar’s Security Priorities is this link from CIO mag (it’s pretty dry until the second page, so I linked to that one):

Valuing an IT Service : http://www.cioupdate.com/trends/article.php/11047_3821986_2/How-to-Assign-Value-to-an-IT-Service.htm

4.)  If Physics is simply the act of observing the world around us and building mathematical models to describe it, then here’s a fun little post on Love

from the NYT (SFW): http://judson.blogs.nytimes.com/2009/05/26/guest-column-loves-me-loves-me-not-do-the-math/?em

5.)  Talk about NewSchool in practice, if you’re not subscribing to Chris Hayes Risktical blog, you’re missing out.  Here’s something he did this week that  I really liked:

The Risk Is Right http://risktical.com/2009/05/21/the-risk-is-right/ – one word, hardcore.

6.)  Finally, I’ve often said that even if you hate risk analysis, you’re doing it anyway.  Just in a bad, ad-hoc manner.  Here’s something from Gelman’s blog that suggests that you’re gonna have to eventually be “New School”:

Those who don’t know statistics are doomed to . . . rely on statistics anyway :  http://www.stat.columbia.edu/~cook/movabletype/archives/2009/06/those_who_dont.html It’s even got a Bill James mention!

Quantum Mysticism: Gone but Not Forgotten

June 8th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Does mysticism have a place in quantum mechanics today, or is the idea that the mind plays a role in creating reality best left to philosophical meditations? Harvard historian Juan Miguel Marin argues the former – not because physicists today should account for consciousness in their research, but because knowing the early history of the philosophical ideas in quantum mechanics is essential for understanding the theory on a fundamental level.

Manipulating Light on a Chip for Quantum Technologies

June 7th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Via Physorg.com -

A team of physicists and engineers at Bristol University has demonstrated exquisite control of single particles of light — photons — on a silicon chip to make a major advance towards long-sought-after quantum technologies, including super-powerful quantum computers and ultra-precise measurements.

The Bristol Centre for Quantum Photonics has demonstrated precise control of four photons using a microscopic metal electrode lithographically patterned onto a silicon chip.

The photons propagate in silica waveguides — much like in optical fibres — patterned on a silicon chip, and are manipulated with the electrode, resulting in a high-performance miniaturized device.

“We have been able to generate and manipulate entangled states of photons on a silicon chip” said PhD student, Jonathan Matthews, who together with Alberto Politi performed the experiments. “These entangled states are responsible for famously ‘weird’ behaviour arising in quantum mechanics, but are also at the heart of powerful quantum technologies.”

“This precise manipulation is a very exciting development for fundamental science as well as for future quantum technologies.” said Prof Jeremy O’Brien, Director of the Centre for Quantum Photonics, who led the research.

[...]

The team coupled photons into and out of the chip, fabricated at CIP Technologies, using optical fibres. Application of a voltage across the metal electrode changed the temperature of the silica waveguide directly beneath it, thereby changing the path that the photons travelled. By measuring the output of the device they confirmed high-performance manipulation of photons in the chip.

The researchers proved that one of the strangest phenomena of the quantum world, namely “quantum entanglement”, was achieved on-chip with up to four photons. Quantum entanglement of two particles means that the state of either of the particles is not defined, but only their collective state, and results in an instantaneous linking of the particles.

This on-chip entanglement has important applications in quantum metrology and the team demonstrated an ultra-precise measurement in this way.

“As well as quantum computing and quantum metrology, on-chip photonic quantum circuits could have important applications in quantum communication, since they can be easily integrated with optical fibres to send photons between remote locations,” said Alberto Politi.

“The really exciting thing about this result is that it will enable the development of reconfigurable and adaptive quantum circuits for photons. This opens up all kinds of possibilities,” said Prof O’Brien.

Physicists Demonstrate Quantum Entanglement In Mechanical System

June 5th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Physicists have demonstrated entanglement — a phenomenon peculiar to the atomic-scale quantum world — in a mechanical system similar to those in the macroscopic everyday world. The work extends the boundaries of the arena where quantum behavior can be observed and shows how laboratory technology might be scaled up to build a functional quantum computer.

Amusements with Alpha

June 5th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

I just saw a link to someone who had broken Wolfram Alpha. Their breaking question was, “when is 5 trillion days from now?” The broken result is:

{DateString[{13689537044,5,13,16,57,18.5796},Hour12Short],:,
DateString[{13689537044,5,13,16,57,18.5796},Minute],:,
DateString[{13689537044,5,13,16,57,18.5796},Second],
,DateString[{13689537044,5,13,16,57,18.5796},
AMPMLowerCase]} |
{DateString[{13689537044,5,13,16,57,18.5796},DayName],, ,DateString[{13689537044,5,13,16,57,18.5796},MonthName], ,DateString[{13689537044,5,13,16,57,18.5796},DayShort],, ,13689537044}

Which is certainly amusing. A quick check shows that even one trillion days gives a similar error.

A bit of the old binary searching will yield that (today’s — 3 June 2009) maximum question is, when is 784 billion 351 million 562 thousand 378 days from now?

That’s an odd number of days for the maximum to be, even while being even and finite. The source of the error can be found in that final displayable day: 31 December 2147483647.

That year happens to be the maximum signed 32-bit integer, which tells us the problem. The display code isn’t using bignums for years (or even long longs).

The inverse question is, “how many days until 31 december 2147483647?” but sadly, Alpha doesn’t know how to parse that. It does know how to parse “how many days until 31 december 9999” which is the furthest-out date it can answer. The year 10000 does not work.

I am amused at what this tells us about the guts of Alpha. In some display code, there’s a signed 32-bit integer limiting output. In some input code, there’s an assumption that years have four digits.

Hacking Tool Lets A VM Break Out And Attack Its Host

June 5th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
‘Cloudburst’ memory-corruption exploit released with Immunity Inc.’s new version of Canvas penetration testing software

Dear Mr. Schneier, If Cloud Is Nothing New, Why Are You Talking So Much About It?

June 5th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

squidlyFor someone who suggests that Cloud Computing is “nothing new,” Bruce Schneier continues to feed the hamster saying a whole lot about nothing.  I’ve seen video after video of señor Schneier staring wide-eyed amd unblinking into the camera, suggesting that Cloud Computing is much ado about nothing.

A recent illustration in a different medium is a story in the Guardian titled “Be Careful When You Come To Put Your Trust In the Clouds

Fundamentally it’s hard to argue with that title as clearly we’ve got issues with security and trust models as it relates to Cloud Computing, but the byline seems to be at odds with Schneier’s ever-grumpy dismissal of Cloud Computing in the first place.  We need transparency and trust: got it.

Many of the things Schneier says make perfect sense whilst others seem to suggest he’s adding Peyote to his corn flakes.  Let’s look at a couple of them:

This year’s overhyped IT concept is cloud computing. Also called software as a service (Saas), cloud computing is when you run software over the internet and access it via a browser. The salesforce.com customer management software is an example of this. So is Google Docs. If you believe the hype, cloud computing is the future.

Clearly there is a lot of hype around Cloud Computing, but I believe it’s important — especially as someone who spends a lot of time educating and evangelizing — that people like myself and Schneier effectively separate the hype from the hope and try and paint a clearer picture of things.

To that point, Schneier does his audience a disservice by dumbing down Cloud Computing to nothing more than outsourcing via SaaS.  Throwing the baby out with the rainwater seems a little odd to me and while it’s important to relate to one’s audience, I keep sensing a strange cognitive dissonance whilst reading Schneier’s opining on Cloud.

Firstly, and as I’ve said many times, Cloud Computing is more than just Software as a Service (SaaS.)  SaaS is clearly the more mature and visible set of offerings in the evolving Cloud Computing taxonomy today, but one could argue that players like Amazon with their Infrastructure as a Service (IaaS) or even the aforementioned Google and Salesforce.com with the Platform as a Service (PaaS) offerings might take umbrage with Schneier’s suggestion that Cloud is simply some “…software over the internet” accessed “…via a browser.”

Overlooking IaaS and PaaS is clearly a huge miss here and it calls into question the point Schneier makes when he says:

But, hype aside, cloud computing is nothing new . It’s the modern version of the timesharing model from the 1960s, which was eventually killed by the rise of the personal computer. It’s what Hotmail and Gmail have been doing all these years, and it’s social networking sites, remote backup companies, and remote email filtering companies such as MessageLabs. Any IT outsourcing – network infrastructure, security monitoring, remote hosting – is a form of cloud computing.

The old timesharing model arose because computers were expensive and hard to maintain. Modern computers and networks are drastically cheaper, but they’re still hard to maintain. As networks have become faster, it is again easier to have someone else do the hard work. Computing has become more of a utility; users are more concerned with results than technical details, so the tech fades into the background.

<sigh> Welcome to the evolution of technology and disruptive innovation.  What’s the point?

Fundamentally, as we look beyond speeds and feeds, Cloud Computing — at all layers and offering types — is driving huge headway and innovation in the evolution of automation, autonomics and the applied theories of dealing with massive scale in compute, network and storage realms.  Sure, the underlying problems — and even some of the approaches — aren’t new in theory, but they are in practice.  The end result may very well be that a consumer of service may not see elements that are new technologically as they are abstracted, but the economic, cultural, business and operational differences are startling.

If we look at what makes up Cloud Computing, the five elements I always point to are:

cloud-keyingredients018

Certainly the first three are present today — and have been for some while — in many different offerings.  However, combining the last two: on-demand, self-service scale and dynamism with new economic models of consumption and allocation are quite different, especially when doing so at extreme levels of scale with multi-tenancy.

So let’s get to the meat of the matter: security and trust.

But what about security? Isn’t it more dangerous to have your email on Hotmail’s servers, your spreadsheets on Google’s, your personal conversations on Facebook’s, and your company’s sales prospects on salesforce.com’s? Well, yes and no.

IT security is about trust. You have to trust your CPU manufacturer, your hardware, operating system and software vendors – and your ISP. Any one of these can undermine your security: crash your systems, corrupt data, allow an attacker to get access to systems. We’ve spent decades dealing with worms and rootkits that target software vulnerabilities. We’ve worried about infected chips. But in the end, we have no choice but to blindly trust the security of the IT providers we use.

Saas moves the trust boundary out one step further – you now have to also trust your software service vendors – but it doesn’t fundamentally change anything. It’s just another vendor we need to trust.

Fair enough.  So let’s chalk one up here to “Cloud is nothing new — we still have to put our faith and trust in someone else.”  Got it.  However, by again excluding the notion of PaaS and IaaS, Bruce fails to recognize the differences in both responsibility and accountability that these differing models brings; limiting Cloud to SaaS while simple for cute argument does not a complete case make:

cloud-lower030

To what level you are required to and/or feel comfortable transferring responsibility depends upon the provider and the deployment model; the risks associated with an IaaS-based service can be radically different than that of one from a SaaS vendor. With SaaS, security can be thought of from a monolithic perspective — that of the provider; they are responsible for it.  In the case of PaaS and IaaS, this trade-off’s become more apparent and you’ll find that this “outsourcing” of responsibility is diminished whilst the mantle of accountability is not.  This is pretty important if you want ot be generic in your definition of “Cloud,” Mr. Schneier.

Here’s where I see Bruce going off the rails from his “Cloud is nothing new” rant, much in the same way I’d expect he would suggest that virtualization is nothing new, either:

There is one critical difference. When a computer is within your network, you can protect it with other security systems such as firewalls and IDSs. You can build a resilient system that works even if those vendors you have to trust may not be as trustworthy as you like. With any outsourcing model, whether it be cloud computing or something else, you can’t. You have to trust your outsourcer completely. You not only have to trust the outsourcer’s security, but its reliability, its availability, and its business continuity.

You don’t want your critical data to be on some cloud computer that abruptly disappears because its owner goes bankrupt . You don’t want the company you’re using to be sold to your direct competitor. You don’t want the company to cut corners, without warning, because times are tight. Or raise its prices and then refuse to let you have your data back. These things can happen with software vendors, but the results aren’t as drastic.


Trust is a concept as old as humanity, and the solutions are the same as they have always been. Be careful who you trust, be careful what you trust them with, and be careful how much you trust them. Outsourcing is the future of computing. Eventually we’ll get this right, but you don’t want to be a casualty along the way.

So therefore I see a huge contradiction.  How we secure — or allow others to — our data is very different in Cloud, it *is* something new in its practical application.   There are profound operational, business and technical (let alone regulatory, legal, governance, etc.) differences that do pose new challenges. Yes, we should take our best practices related to “outsourcing” that we’ve built over time and apply them to Cloud.  However, the collision course of virtualization, converged fabrics and Cloud Computing are pushing the boundaries of all we know.

Per the examples above, our challenges are significant.  The tech industry thrives on the ebb and flow of evolutionary punctuated equilibrium; what’s old is always new again, so it’s important to remember a couple of things:

  1. Harking back (a whopping 60 years) to the “dawn of time” in the IT/Computing industry making the case that things “aren’t new” is sort of silly and simply proves you’re the tallest and loudest guy in a room full of midgets.  Here’s your sign.
  2. I don’t see any suggestions for how to make this better in all these rants about mainframes, only FUD
  3. If “outsourcing is the future of computing” and we are to see both evolutionary and revolutionary disruptive innovation, shouldn’t we do more than simply hope that “…eventually we’ll get this right?”

So please, Mr. Schneier, spare me the diatribe and stick with the Friday Squid postings and leave Cloud to those of us who do care about it.

Regards,

/Hoff

Related posts:

  1. Incomplete Thought: The Crushing Costs of Complying With Cloud Customer “Right To Audit” Clauses
  2. Incomplete Thought: Cloud Workloads – Really?
  3. On the Draft NIST Working Definition Of Cloud Computing…

Backtrack 4 “Powered with CUDA”

June 5th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)
Some really exciting stuff going on in the world of CUDA on backtrack 4. We have updated to cuda 2.2 and will be offering the complete developers environment. This will include every thing you need to write some of your own tools with CUDA if the need arises. If you don’t know what CUDA is [...]

The World’s (Phone) Reactions to Obama’s Inauguration

June 5th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Shared by royfire

Cool data visualization!

senseable city call obama

On Obama’s Inauguration Day the world watched… and called each other. And those calls were voluminous and corresponded to parts of his speech. To see just how the world reached out to each other MIT’s Senseable City Lab and AT&T teamed up to analyze the call records of that day. In honor of Obama's 100th day in office they released a series of data visualizations at Obama | One People. The project lead was Andrea Vaccari, a frequent ETech speaker.

On that day “call activity is two to three times stronger than usual, and it rises to five times the normal levels after 2 pm as President Obama takes his oath”. The Senseable City team created visualizations for activity in the DC and across the world. The City viz (image above) is described as:

The City joins the mobile call data with a map of Washington D.C. to produce a stirring visualization. The areas around the Mall and Pennsylvania Avenue, where most inaugural activities took place, are highlighted on the map with 3-D building models colored in yellow. In the center of the screen, the map of Washington, D.C. is overlaid with a 3-D color-coded animated surface of square tiles (1 tile represents an area of 150 x 150 meters). Each tile rises and turns red as call activity increases and likewise drops and turns yellow as activity decreases. On the left, a bar chart breaks down the call activity by showing the normalized contributions of calls from the 50 states and 138 foreign countries grouped by continent. The timeline at the bottom illustrates the overall trend of call activity in the city during the week of the Presidential Inauguration.

There is a Bonus version of the city visualization after the jump that includes state-level call data for the nation.

obama one world

Obama | One People also has a world visualization described as:

The World illustrates the provenance of those who traveled from all over the U.S. and the world to Washington D.C. to witness President Obama’s inauguration. It interprets the variations in call activity as flows of people arriving in Washington, D.C. and then leaving the capital to go back to their home states and countries. A world map shows links between Washington, D.C. and countries abroad. Dynamic packets of information represent 100 calls for U.S. States and 10 calls for foreign countries depending on whether call activity increased or decreased in relation to the previous hour. The timeline on the bottom of the screen connects back to The City visualization by showing the overall trend of call activity in Washington, D.C. during the week of the Presidential Inauguration.

The Senseable City team also included some analysis of the call logs:

The states with the strongest increase were the southern states of Alabama, Georgia, Kentucky and Tennessee, with calls up to twelve times the normal levels. These are states that played a prominent role in the Civil Rights movement and notably are also so-called red states whose voting population went for the Republican candidate, John McCain. Other states with a ten-fold increase in call activity were Illinois, Barack Obama’s home state, and Michigan, Ohio and Indiana, swing states which went blue, voting for President Obama. Most interestingly, comparing these results with U.S. demographic statistics shows that the percentage of African Americans in each U.S. state is a predominant factor determining increase in call activity and therefore participation in the event, which instead was not necessarily influenced by the state’s proximity to Washington, D.C. or its political leaning.

Obama’s inauguration was one of the most recorded events in history. The MIT project does not have quite the emotional impact that CNN’s collaboration with Microsoft to create a Photosynth called The Moment. Or the humor of the Onion’s fictional report on Obama being outfitted with 238 Motion Capture Sensors to create a 3D record of his tenure. However by finding a way to involve the world the project has more accurately captured the importance of this moment.

information aesthetics also has coverage.

Bonus Version of the City:

World Visualization:

Presumption of Innocence Now Meaningless in Ontario?

June 4th, 2009. Published under My Recent Reads. No Comments.

pulled from Google Reader (click on title for original post)

Back in April I wrote a somewhat sarcastic article here on slaw.ca criticising the new Road Safety Act (“RSA”) as allowing “convictions without trials” (http://www.slaw.ca/2009/04/22/8208/). The story took on a bit of a life of its own resulting in some TV appearances that in turn generated a fair bit of commentary from the general public. One theme that ran through a vocal minority of those who called in to the talk shows took me to task for “overreacting” or being “alarmist” in my complaint that the RSA authorized police to issue tickets from which there is no appeal. I was reminded that charges under the RSA were not criminal and that police could be trusted to charge the right people. I retorted that the day might soon come in which even criminal charges were treated in this manner and that, in the name of expediency and ‘safety’ (whatever that means), we were giving up the very foundation of due process on which our legal system rests.

Sadly, it took under two months for the Ontario Court of Appeal to prove me right.

Last week Magdy Tadros learned the hard way that the presumption of innocence just ain’t what it used to be. Tadros was a social worker operating a group home in 2002 when he was arrested and charged with a series of sexual offences arising out of complaints made by some children in the home. A year and half later in October, after careful analysis by the assigned crown attorney, all charges against Mr. Tadros were withdrawn. Tadros entered into a Peace Bond with the court promising to abide by certain conditions while stating through counsel clearly on the record that he “does not acknowledge the facts alleged in the information”.

Understandably, Tadros thought his frightening ordeal was over with. He returned to the task of re-establishing his career and sought employment at a number of facilities as a social worker. As is standard practice, he consented to criminal background checks along with a vulnerable person sector screening. No doubt it came as quite a shock to Mr. Tadros to learn that information contained in his screening included the fact that he had been charged with sexual offences against children even though all such charges had been categorically denied by him and withdrawn by the crown. Not surprisingly, this disclosure threw a wrench in Tadros’ plan to get back into the social work field. He applied to the Superior Court of Justice (“SCJ”) and was granted an order prohibiting Peel Regional Police from disclosing the fact that he had been charged on future screens — until now.

In a dizzying judgment that jumps from analysis of privacy laws to Charter scrutiny, the Ontario Court of Appeal (“OCA”) unanimously reversed the decision of the SCJ stating the “right to liberty does not include the right to censure accurate information lawfully held.” The full text of the decision can be found at http://www.canlii.org/en/on/onca/doc/2009/2009onca442/2009onca442.html.

In a display of blinding naiveté the OCA suggested that “in a case where withdrawn charges which were false are disclosed, the potential employee has the ability to explain the circumstances to the proposed employer.” Say what now? The assumption that prospective employers will respect the presumption of innocence enough to ignore false allegations that resulted in criminal charges is laughable. To suggest to someone in Mr. Tadros’ position that they have merely to “explain the circumstances to the proposed employer” is to miss the fact that Tadros already did exactly that in the forum most suited to ferreting out the truth of these allegations – our courts of law. Having had the charges against him withdrawn, he should never be placed into the position of having to explain to anyone why some police officer somewhere once chose to lay a false charge against him. That’s the whole point of a justice system.

And so we come full circle. The RSA recently expanded the authority of police officers to lay traffic charges with serious criminal repercussions without any right of appeal or resort to any trial. Now, in the Tadros case, the OCA has authorized police not to worry too much about the criminal trials either – after all, if the suspect gets acquitted, you can still just tell everyone what he was charged with. Good luck explaining that one.