Orcmid's Lair |
||||
|
2004-03-20Book excerpt: Exploiting Software - Computerworld. This interesting extract deals with how hackers reverse-engineer a program to discover assumptions that can be used as openings for exploits. This basically reveals assumptions that programmers make, especially about inputs, that can be violated and made avenues for an exploit. Q&A: Quality software means more secure software - Computerworld. This 2004-03-17 Mark Willoughby interview with Gary McGraw discusses the new book with Greg Hoglund, Exploiting Software: How to Break Code. There is a sample chapter on the site. The tie-in of software quality and security, along with the emphasis on attention to the overall software lifecycle and attention to security from the beginning strike me as apt. ACM News Service - Q&A: Quality Software Means More Secure Software. This article focuses on flaws rather than bugs, noting that 50% of flaws occur at the requirements level, according to Barry Boehm. It will be interesting to see how this fits with achievement of dependable systems and whether it requires serious requirement and risk management. 2004-03-19Open SSL Security Advisory [17 March 2004]. Here's the advisory on OpenSSL. They posted the fix on the same day. This is CAN-2004-0079 and CAN-2004-0112. The cure in both cases is an upgraded to 0.9.7d or 0.9.6m. It is necessary to recompile or relink any statically-bound usage of the OpenSSL SSL/TLS libraries. 2004-03-18Iterative Probabilistic Decoding of a Low Density Parity Check Code. This is a very cute demonstration. In this case, there are as many parity (ECC) bits as image, but they are able to recover errors completely with an iterative probabalistic technique. This is work of David MacKay with Neal. Software for Low Density Parity Check Codes. This download page has more information on Radford Neal's implementation of LDPC software, including testing tools. The copyright notice licenses use and derivative works only for research and education. Software for Low Density Parity Check (LDPC) codes. This is a kit developed by Radford Neal at cs.toronto. An useful find also. opencores.org CF LDPC Decoder Overview. It is not clear where this software is, but it serves as a reference implementation for evaluation. The software is not proposed to be efficient, but rather to be understandable. opencores.org CF LDPC Decoder Overview. It is not clear where this software is, but it serves as a reference implementation for evaluation. The software is not proposed to be efficient, but rather to be understandable. MCLv3 Project. There is an Inria open-source project for Reliable Multicast Protocols that includes an LDPC "codec" implementation that is entirely open-source. This is where to find out more. Feature Article. This is Erico Guizzo's March 2004 IEEE Spectrum article, "Closing in on the perfect code." This is a fascinating article. There is information on LDPC codes which are no longer subject to IP protection, and that may work better than Turbo Codes for some things, and they are easier to implement. My, my. ACM News Service - Closing In on the Perfect Code. This is about the ability to provide for forward-error correction that allows transmission at very close to channel capacity. There have been promising results. This reminds me of something that I have wondered about in regard to compression techniques, especially that "What turbo codes do internally is to come up with bit decisions along with reliabilities that the bit decisions are correct." I keep thinking that compression techniques can work with the same principle for data that is presumed to be reliably transmitted. E-Commerce News: Spotlight Features: The End of Passwords. Here is Elizabeth Mllard's 2004-03-13 article. I didn't get much more out of it. I am still looking for what applies to a SOHO situation and my carrying my laptop around! ACM News Service - The End of Passwords. The title reflects the discussion of alternative authentication devices and ways they may be used in business settings. It is not clear whether this would help in more-widespread single sign-on. The article doesn't directly mention USB authentication devices, but there is discussion of the SecurID technology. The kinds of blended techniques that are being considered are of interest to me as well. NewsFactor Network - Science - Can Social Networking Stop Spam?. Here's the Mike Martin 2004-03-15 article that the Technews blurb was about. There is something off about this, and I can't figure out what it is. One way to look at it is that it is about privacy (and security too, but let's stick with privacy). So how do individuals (and their user agents) maintain privacy and resist or ignore attempted intrusions. From that perspective, for me, spam is simply an intrusion on my resources and attention, and I want a way to shed it that is at least as economical as what it took to create it. For my telephone number, the national do-not-call registry has done wonders, because now I don't even have to yell at the guy from ATT to make sure he puts me on their specific list, the way it had to be done before. Because of all the deceits that accompany spam transmission, (1) it is clearly an intrusion and we all know it, including the sender, and (2) communities need reliable way to communicate with each other that provides high trust that the communication is from a known party and is not otherwise suspect. I can work out a secret handshake with some of my correspondents, but for others I need something else. Then there is the matter of individuals that want to contact me for the first time -- how do they get through whatever fortress I erect. Maybe I could use this social-network analysis to tune or prime an intrusion prevention system, but why not just build it up on a case-by-case basis? More to look at. ACM News Service - Can Social Networking Stop Spam? I think this is the idea. Control it from the edges, and let communities recognize themselves and each other. What I like about this is, if the gates are set properly, people can work this out and control it themselves. I am not sure what kinds of tools are required, or whether it can actually be very simple. ACM News Service - In E-Mail Warfare, the Spammers Are Winning. This is more on how bleak things are, with the interesting estimate that 80% of all e-mail in the US will be spam by this summer. This is just a reminder for me to tweak my system. The basic rule is that, instead of trying to identify spam, I will assume everything is spam except for what I explicitly permit, and then tune that. There is more to do around qualifying mail that comes to me, but that would take care of most of the spam I now receive, and I wouldn't have to work so hard tuning it. Even then, I need to remain vigilant of all mail that shows up as somehow "off" even if apparently from a legitimate source. The virus guards have to keep running for sure. Archive of W3C News in 2004. The announcements for the Week Ending March 19 include the VoiceXML 2.0 announcement and also interesting information about SVG 1.2, an updated edition of XML Schema, and more goodies. They've been busy around there. ACM News Service - W3C Finalizes Internet Voice Standards. This covers an interesting announcement about Voice XML 2.0 and the Speech Recognition Grammar Specification (SRGS). The idea is to provide speech on the web, and also allow people to interact with Web Services via audio. VoiceXML is claimed to be heavily deployed and there is a platform certification effort being established. Wired 12.03: VIEW. This is Bruce Schneier's article on "America's Flimsy Fortress" in the March 2004 issue of Wired. Here, Schneier uses his wonderfully direct anecdotal thought-experiments to show how much of a facade many of our protections our, especially the ones that regard everyone as a pontential terrorist. This article is too short. I always want to read more from Schneier. There are ways. ACM News Service - America's Flimsy Fortress. Bruce Schneier is suggesting that the tremendous effort on homeland security is ineffectual and that the greatest successes are through ordinary investigative and detective work, and other efforts to disrupt terrorist operations (cutting chains of command and communication, cutting off sources of funds, etc.). It seems to me that this continues Schneier's important warnings about these efforts being mostly cosmetic and perhaps dangerous because of that. ACM News Service - Return of the Homebrew Coder. This is cool. It is how I want to be engaged in software development, although I want to do serious software-engineering this way too. Sidebar: Watts Humphrey on Software Quality - Computerworld. THis is the Gary Anthes 2004-03-08 Q&A with Watts Humphrey. There are some interesting sidebars, so I did not Blog the print-freiendly version the way I usually do. Coming to this page was peculiar though. I declined to allow ActiveX to run (it doesn't matter and it cuts out intrusive animations for putting animations in my face). But then I was offered a login invitation/challenge for "CMA." I have no idea what that was, but I simply closed it and the page became accessible. I think I already have a Computerworld registration cookie on my computer, and even if I don't I am not expecting to have to authenticate here. ACM News Service - Watts Humphrey on Software Quality. This is about a Computerworld interview where Humphrey explains the motivation for PSP and TSP (the personal and team software processes), and ways to move into CMM that work successfully from the bottom up. ACM News Service -- If You Want to Protect a Security Secret, Make Sure It's Public. This newsblurb on a Wall Street Journal article (Lee Gomes, 2004-03-15) mentions SSL as an example of a security scheme that has stood up to public inspections. (This morning, we are not so sure.) The real demonstration is in the Daemen-Rijmen Advanced Encryption Standard being adopted by the U.S. Government, after its public testing and challenging in a competition held for new, top-secret quality digital encryption techniques. CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations. Here are the first set of vulnerabilities that were uncovered in October, 2003. These had to do with exposures in the ASN.1 parsing code that was used in the implementations. OpenSSL: Related, OpenSSL/SSLeay. Here are some useful resources, including a link to the O'Reilly book. OpenSSL: Documents, Misc. Well, this is still a fledgling effort (it is not at release 1.0 yet), and like many Open-Source projects, the documentation is considered "still incomplete." OpenSSL: The Open Source toolkit for SSL/TLS. SSL is being mugged these days as the result of phishing and site impersonation activities. What seems to add to this is that it is not clear what the SSL agreement is, as opposed to TLS 1.0 which is an IETF Proposed Standard, and what kinds of agreements on encryption choices might actually be exploited as vulnerabilities. So is the vulnerability in the specification or in a practice? I came her to find an authority, but it makes me nervous to see old, long-obsolete Internet-Drafts as the only linked documents on how the open implementation is defined. I may have overlooked something. AnderBill and I are continuing to explore. IETF RFC 3230: Instance Digests in HTTP. There are mechanisms for returning MD5 digests of the content of a message, and this RFC extends that principle to other cases. 2004-03-17Experimenting with BitTorrent and RSS 2.0. There is work to create an RSS feed with "enclosures" that include descriptors for downloads of bigger objects. These bigger objects can be obtained using BitTorrent. I haven't figured out the efficiencies yet, but they involve how a BitTorrent distribution works, sort of like a multicast, in that each destination becomes a new distribution point. This is a way for a community to receive a particular new file of interest, as well as notification of the file's availability. The notification comes out of RSS notification/syndication. Schoolwork and Playing HookeyI am seriously gathering Wiki material for bootspiraling up an nfoWare Wiki site (nfoWiki, naturally enough). So there are more gleanings and discussions being captured here. Concurrently, I am still collecting material on Computer Networking and, currently SIP-related (whether SIP-using) applications. There is a cross-over here with instant-messaging and different social mechanisms.Wiki MaterialI must publish what I have because the blogger backlog of unpublished blog items has scrolled out of view.Wiki ConventionsCommunityWiki: PersonalLogServer. Here's some out-of-the-box thinking about personal logs. I like the idea of personal logging. What is interesting here is that your personal log could be addressed by messages from other sources. CommunityWiki: InterWiki. This is a thoughtful piece walking around the question of seamless InterWiki coordination. Yes indeed. Something for me to look at very seriously with regard to nfoWiki, once there is enough foundational scaffolding to deal with the basics. I want to come here, and the conversations that will build from here to see how federated Wikis can operate and where in WikiText (if there at all) one accomodates this sort of thing. We know about InterWiki links being tied to QNames or something like it. What else is there to do to make sure there is a place for this. The blogger craft of commenting in another blog (or Wiki) and placing a link from the place commented on (or transcluded) is an interesting activity. It is not automatic, and that may make it even more valuable. CommunityWiki: ConnectingWikiEssay. This is a great essay on Connecting Wikis that was recommended by Bill Seitz. This is apparently more by Lion Kimbro (wouldn't it be great if all Wiki were attributed somehow, even with annealing?). Lion's Den - Lion Kimbro's Personal Web Site. THis is a kind of Wiki Blog. Lion Kimbro is here in Seattle. His March 15 article is about Trans-Rational and it very interesting, as are the links and quotations from Michael Crichton. There is also a February blog on Wiki Proliferation which is the reason that this Blog was referred to me, and others on CollabWiki by Bill Seitz. Social and Collaborative NetworkingHere's a cross-over topic from Wikiness to Messaging and PresenceApproaches to Messaging and PresenceUnbound Spiral: Social Networking is Broken. Wow, the word Spiral is in my life this week. Here is an important blog on all of these systems set up to support social networks. It looks like that is not what they actually do, and there is some question whether they have sustaining value. He lists some things that are critical, including presence. I think, while reviewing the P2P bootstrap problem and related topics in a Computer Networking course over the past few weeks, that social networking is a local phenomenon, and global management puts organization at the wrong part of the network. The edges will work out their own communities, and the question is, what is a non-intrusive way to facilitate that? The Company of the Future: How the Communications Revolution is Changing Management. This ACM Ubiquity book extract is fascinating and this is my marker to come back and look more closely. Classmate Dieter came up with it. 2004-03-15Skype. The Skype approach to Internet telephony is to use P2P and proprietary protocols. The hook is that the voice quality is better than telephone. IP Desktop Phones and Softphone Clients. Here's a directory that lists a lot of software-implemented VoIP clients. Trust and Trustworthy ComputingAuthentication of Announcements and UpdatesMicrosoft Technet SecurityI ran into a problem with an invalid PGP signature on a Microsoft bulletin. This led me through the maze on how to notify Microsoft of a vulnerability in their presence. I wouldn't have figured this out without some hints from a friend in Redmond. On the other hand, there are places I have never succeeded in notifying that they have an exposure in a web-delivered service or presence.Microsoft TechNet Security - Product Security Notification. This is an important page. It is also how one obtains Microsoft Security's PGP Certificate for verifying the validity of their key signature: "Verifying our Digital Signature We digitally sign all security bulletins. To verify the signature, please download our PGP key here. The key's fingerprint is 5E39 0633 D6B3 9788 F776 D980 AB7A 9432." There is still some work to do to be setup to verify the signature, unless you are using a non-Microsoft mail client. Even so, the procedure does work and I have had a signature fail. Fortunately, Microsoft creates a variety of safeguards, including use of plaintext messages (so URLs are easily readable) with no attachments. Also, there is always something on a definite Microsoft site location that repeats the information and provides further instructions. I tend to find these authoritative and a verification on the e-mail's content, whether or not I verify the signature. 2004-03-14Information SystemsCollaboration and Coordinated WorkWikis 'R' UsWikipedia Bookmarklets. These are little Javascripts written into URLs or bookmarks that become procedures for doing something on the Web. Blogger's Blog This! bookmarklet is similar. What I like about the ones here is that there are provisions for a variety of browsers.
|