Friday 31 July 2009

Jimmy Page: Outrider (1988)

A well-balanced selection with some prime nuggets

Warning: this article is a review of a 1980s rock/blues album!

Jimmy's debut solo album appeared in 1988 when he found himself between collaborations (The Firm and Coverdale-Page). "Wasting My Time" sets off with a suitably upbeat riff, John Miles on vocals sharing the punctuation with Jimmy's clean chords during verses, bottleneck guitar at the end of the line. Inevitably, comparisons with certain Led Zeppelin recordings will be made (particularly so when one lineup contains Robert Plant, and Bonzo's son Jason Bonham, in "The Only One", a Page/Plant composition - turn up that guitar echo, one notch past Eddie Cochrane). In this case, the tempo and the production can be traced squarely to the closing track of Physical Graffiti, but the song stands out on its own.

"Wanna Make Love" - with that title, you'd probably expect just the rockalong boogie that Jimmy starts off playing. His heavy rhythm work is loud and prominent, expertly framing John Miles' strutting sexual lyric. But wait for the chorus, and this axeman's gotta hooge surprise in for yer! He can hardly race to the end-of-the-bar riff quickly enough, prior to _s_t_r_e_t_c_h_i_n_g_ out the tension before the next crashing windmill stroke. And that tension, in these multiply-pregnant pauses, seems to heighten and lengthen with each repetition. This is the same dramatic combination of timed interruptions and whammy bar work that he used to such great effect on "For Your Life" (on Zeppelin's "Presence" album), but here it's taken to its absolute limit. Three such breaks in particular, taken near the end of the song, sounds so deliriously dazed and climactic - well it works for me. This track has genius.

"Writes of Winter" is a workmanlike Page instrumental employing various guitar textures and the trademark start/stop switches; though it's more of a journey by road, than anything evocative of winter. On the opposite side of the Page/Plant jewel lives "Liquid Mercury", another masterly instrumental study in musical punctuation.

Leon Russell's "Hummingbird" is given a blues makeover, with Jimmy's ambling and ponderous accompaniment to this beautiful love song lending extra depth of field and colour to Chris Farlow's emotional rendition. The master session guitarist can be heard wrapping around each line of the song, never obtrusive; the first solo is similarly understated, fitting the mood of the song perfectly. Don't worry though, the second solo is pure Page (it's his album after all).

"Emerald Eyes" is the last of three instrumental tracks sprinkled uniformly between the blues and rockers. This is a guitar ensemble arrangement built on a backbone of double-tracked twelve-string acoustics, with electric and synthesizer melodies and counterpoints; once again quite restrained and purposeful, delightful, engaging.

The album concludes with two great original Jimmy Page / Chris Farlow compositions. In "Prison Blues", Jimmy combines and continues the traditions and the well-worn paths of classics like "You Shook Me" and "Since I've Been Loving You", by stepping on the brake pedal and letting the blues slide and glide. Zepheads, you'll know exactly what to expect from note #1, and Jimmy delivers once again. Finally, "Blues Anthem" sounds like an old standard of the genre, but ain't; it just happens to be so perfectly conceived and realised, it sounds like it's been around forever. An arrangement of strings, a soulful electric solo, Chris' perfect reverence for his subject, and Jimmy the production wizard with just the right levels on the "echo" and "sadness" sliders, make this a blues you will come back to. All said, a very well-balanced album, with some priceless chunks of gold.

First published on Amazon.co.uk, 26th September 2000.

Thursday 30 July 2009

Book Review: Computer Security

Computer Security
20 Things Every Employee Should Know
The Employee Handbook for Securing the Workplace

by Ben Rothke, CISSP
Paperback: 48 pages
Publisher: McGraw-Hill Osborne; 2nd Ed.
ISBN-10: 0072262826
ISBN-13: 978-0072262827

Ben
Rothke has assembled a wealth of good advice, guidance, rules, cautions and precautions, from over 15 years of experience in the fields of security and privacy of information systems, and done a very good job of distilling this into his mostly excellent little book. The Second Edition includes information about the latest trends in:
  • phishing and spyware
  • identity theft
  • viruses and malware
  • remote access threats
  • instant messaging
  • handheld devices
  • social engineering tactics
...all of this while retaining its healthy focus on good practice and common sense, as well as the necessity of getting everyone in the enterprise "on-board" with the corporate security strategy - the essential backbone of the various interconnected policies, physical infrastructure, and human interfaces.

In the introductory chapter, Mr Rothke describes how an effective security policy is based on the three "fundamental security principles" of Confidentiality, Integrity, and Availability - traditionally presented in this slightly illogical order so as to facilitate the use of the acronym, "CIA". This device, of rounding off your message with three bullets, is used effectively throughout the rest of the piece, helping digestion.

There is a lot to recommend the presentation of the material in this form. Perhaps one American reviewer is right, who on Amazon.com suggests buying this slim volume "by the boxload". On the other hand, it's difficult to ignore the fact, evidenced by the Amazon.com "Real Name" badge, that said reviewer just happens to be called "Joy Rothke"!

Certainly this is an easy, quick and rewarding read. If you are responsible for your corporate network security, it might be just the ticket to get people signing up to your strategy, taking responsibility for their online and other related activities. It reads well, presents a shedload of familiar scenarios, some amusing, some cringeworthy. Most importantly, it is written in plain and easily understood language, refreshingly clear of management speak.

Having said that, there is also a sense among certain writers that "Lists can be lazy journalism", and in this book there does appear to have been a bit of stretching here, a bit of padding there, just to deform the content into 20 similarly formatted, self-contained, 2-page chapters, each ending with three bullet points and a "quote". While the bullets often echo those from earlier chapters, most of the "quotes" are unattributed - presumably these are the author's own; they just restate the chapter heading as a sound bite.

One last niggle: surely the introductory statement, "The importance of a security strategy cannot be underestimated", should have been corrected by now? Please Mr Rothke, let's have "overestimated", or better still "overstated", in the Third Edition.

Amusingly, the Amazon.co.uk listing for the First Edition gives every appearance of a well-hacked site, the author being listed variously as "Ben Rothke", "Samuele Ghelfi", and "Kathy Ivens". Laugh? I nearly did!

Computer Security: 20 Things Every Employee Should Know - available now at a coffee table near you.

Wednesday 29 July 2009

Charlotte's 2009 Solo Tour

Charlotte Hatherley has just announced dates for her 2009 Solo Tour in support of her new album, "New Worlds" (confusingly referred to as "Cinnabar City" in several places), soon to be released on her own record label, Little Sister Records. Samples can be heard on MySpace.

This is a busy year for the impossibly glamorous erstwhile Ash maiden, as she juggles full-time touring duty with Bat For Lashes, jetting off to Paris to become 30 and battered, shooting the video for her new single White, and gearing up for the new album release and tour - which has to be slotted into a window of just a couple of weeks, before the next BFL tour kicks off!

Looking forward to seeing her at King Tut's, September 18th, for the princessly sum of £7...

Security 101: Part 1

Deep Thought And The Wrench

Hello, I’m John Kerr, and like the sidebar says, I’ve been programming computers since high school circa 1972. Back then, “writing a program” meant transcribing my BASIC or Fortran on to the special fixed-pitch stationery, prior to snail-mailing it to the local university to be typed in manually at a terminal, the output from an ICL mainframe being returned to my school in time for the next week’s lesson. The debug cycle was a bitch!

Today, several things have improved: including the languages, and more generally, the software development environment, as well as almost every aspect of the performance of our computing machines. At the same time, the universal adoption of automation, and particularly of the internet as a means of conducting commerce, education, social activity, and the provision of goods and services in countless additional domains, has led to the creation of new problems, new challenges, in totally new areas of investigation and research.

Many of these areas come under the umbrella of “Security”, and it is with this single word, in all of its nuances and connected subtopics, that I will be concerned in this first series of articles.

It is customary to open proceedings by drawing attention to one invariant fact. Namely, that the size of your subject - its breadth and depth of scope, as well as its height, width, length, thickness, and any other dimension – far exceeds anything in the minds or recent experience of your audience. No matter the nature of your subject, this one thing must be true about it.

Luckily, this does happen to be true of my subject, as will become clear in the course of succeeding articles. Security, Is, Big.

Another obligatory ingredient is humour. This should preferably be supplied either by Scott Adams via Dilbert, or perhaps even better, by Randall Munroe via XKCD:


One further convention should be adhered to by anyone presuming to talk authoritatively about security. The speaker should be a criminal. And not just that: one whose crimes relate to some aspect of the subject. Almost any crime will do. A housebreaking, a car theft, or even a mugging can highlight some aspect of security in need of improvement. But for our purposes, the ideal candidate is someone who has reverse-engineered security systems in order to obtain access to protected information. In short, we need: The Hacker.

Some Of These Numbers Mean Something

At this point, I should probably admit my unsuitability for this role. After all, I was recently vetted by our boys and girls in blue, and confirmed as suitable for handling police confidential data. So, clearly there’s nothing in my personal past which…

Hmm. Ah, yes. Of course. That one time…

It was in the early 80s, I can’t be any more specific than that. My friend had a £3,000 Automatic Computer Aided Drawing package, which he wanted to be able to use on two machines, but the damned thing came with a dongle – a small device that plugged in to one of the serial communications ports on the PC – and so he had to remember to carry this device to and from work every day, and go through the laborious process of gaining access to the back of the main unit each time to unplug or insert it.

This was a pain. Of course, the dongle was a so-called “potted module”, encased in resin to ensure that any attempt to take it apart for investigation would destroy it, and he didn’t have a spare £3,000 for a replacement one.

Being more hardware-oriented that I, he had established that the software was using a couple of handshake pins on the serial port to clock and read in a binary code from the device. With the help of a storage oscilloscope, we determined the sequence of that code, which was some 250 or so bits long. As a proof of concept, we built a programmable ROM device to simulate it, and that worked – but clearly, this simulation was too large to fit inside the module. A working simulation solution wasn’t enough, we wanted to reverse-engineer it completely!

Then I remembered a particular type of digital feedback circuit design from university, wrote a program to simulate that, and ran it until it discovered a circuit producing the observed code. Presto. One visit to that nice Mr Bridges at Marshalls Electronics in West Regent Street, and 14p worth of logic chips later, we were set to enter the lucrative dongle mass-manufacturing market.

Which of course we didn’t. Rather than be seduced by the dark side of the force, we just celebrated and congratulated each other with a single working prototype and a beer at The Howff.

My friend was of course perfectly entitled to use his CAD package on his two PCs, and as for what we did – well, back then there were no anti-circumvention laws, not even in America, never mind the Land of the Barras! What we did would today be classed as Security Research. This is currently an area of extremely hot contention and debate, and later in this series, I will be looking at the kind of experimental activities that are sanctioned in various countries, and which ones require special permissions or exceptions to the overriding legislation.

We conspirators performed our research in the pre-web vacuum. Although bulletin boards existed and were subscribed to by specialists using 300 baud, acoustically-coupled modems, there was no means of connecting instantly to all the dongle-breaking intelligence in the world, as there is today for this or indeed any other subject. That very connectivity is of course one of the main driving forces behind much current legislation, in addition to being – as previously noted – the source of many of the problems that it addresses.

My example also illustrates a number of other subjects which will be covered in more detail in later articles. One relates to the visibility of the wires connecting the dongle to the PC: these are a vivid case of a “security hole”, and there are of course countless others. Consider for example the people who typed in my school program to the mainframe; clearly they could read all of my top secret information! Recently popularised security holes include the pattern of wear on a keypad used to enter a single access code, and a proposal to discontinue masking of password entry (which caused internationally renowned security expert Bruce Schneier to make what many regard as an uncharacteristic error).

How It All Ends

All of that is coming up later. Meanwhile, I want to finish this introductory article by spoiling the entire series for you and giving away the ending.

The answer is: have a Security Strategy!

Every article will refer back to this mantra, and hopefully prove that it is the single most important facet of any security system or context.

In the case of the XKCD cartoon: well, one visible component of the security strategy is probably Microsoft's security model for Windows, which is based on identity. The owner of the laptop establishes this by providing a password. Therefore, the security strategy relies upon the presumed fact that nobody else can know this password. Soon we might expect this to be extended to biometric data such as fingerprints, iris scans, etc., but with the model, and its place in the security strategy, remaining the same.

Until next time ... have a Security Strategy!