Saturday, 31 October 2009


Fangs Ain't What They Was

Very few guising parties abroad tonight; we seem to be following America in stealing the Feast of All Souls away from the children, and using it for our own drunken revelry (I recently read somewhere that in Ohio, they have “Beggars’ Night” for the kids, a couple of days before Hallowe'en, "on the thinking that Halloween has been colonized by adults, who will have lots of drinks at their Halloween parties and then take to the road, not necessarily watching for tyke-sized ghosties and ghoulies out looking for treats").

Anyway, our lot were out upholding the best of the tradition, starting with Little Niece, who made her own mask. Good, eh?

Accompaniment was provided by the sundry niece and nephew corps. Note the intentionally uncorrected red eye, because - well, Hallowe'en, blood red eyeballs on stalks, what's the problem?

We adults took an extensive, active and exhausting role in the event.

I guess we made the mistake of over-imposing on Little Niece's excellent nature, because after posing without complaint, then cracking her tooth on one toffee apple, before selflessly donating another to her younger cousin (who found hers inedible), she finally gave up asking politely for the cameras to be taken out of her face, taking instead direct action.

At least we can still see the back of her; sadly, Little Nephew once again spent his entire Hallowe'en upstairs alone, stuffing all of his hard-earned pocket money into Steve Ballmer's wad.

That was October for you.

Photographs copyright © 2009 by Linda Kerr.

Friday, 30 October 2009

Observations on Observations

What The Hell Is Going On?

Last week, and in fact part of the week before, we saw the tenth anniversary of Canada's Premier Institute for Theoretical Physics celebrated with a festival: Quantum to Cosmos: Ideas for the Future. One fascinating discussion, picked up by New Scientist and widely disseminated, took place when a panel of leading physicists ran headlong into the question, "What keeps you awake at night?"

Topics in the above article include the anthropic principle; the continuous annihilation of dark matter; the nature of dark energy; emergent complexity; string theory; the holographic principle and the (cosmological) singularity; entanglement and the nature of observation; and rounding off all this, the limits of knowledge. For deeper coverage, the festival site has many video clips on a breathtaking array of subjects, in no way limited to the preceding list, and all available to watch here:

Disclaimer: the random musings that follow below are presented for amusement only, and have no connection with any person who knows what they're talking about. They're just three speculations with a slender common thread. Also, the Lottery references are to the UK National Lottery; lastly, and most importantly, there is a "u" in "colour".

Observing A System

Observers, and their universe. They observe it, don't they? Well in a way, but remember, what they actually observe is the universe that contains them; in other words, they're a part of what is being observed.

An observer can observe some small part of the universe. Another observer, for instance. Or even itself. It can be said to be observing the entirety of the universe, excepting itself - which is what I usually imagine whenever I hear the term "observer". Something outside the universe, looking in. Yet that's not really what we have here. Instead, we have a small part of the universe, observing another part of itself.

Isn't there a sense in which the spatial distinctions implied by that account are illusory? When particles are entangled, for example, they act in all respects like immediate neighbours, regardless of the distance between them. And all distances are measured over the full set of dimensions, not just three arbitrarily selected spatial ones. So, could an observer be considered as extending over multiple, seemingly disjoint and disconnected, regions of space-time?

What's an observation anyway? Just a collection of particle interactions? When I observe a sunset, electrons in my cells are receiving, or interacting with, photons that originated something over 92 million miles away. Seems to me that a single Feynman diagram should suffice to picture that situation.

Now, let's try to zoom in on the observer here. In doing so, we conceptualize ourselves as some kind of meta-observer, which seeks to reduce the sunset-beholder to its lowest terms. Those electrons in my body, the ones doing the interaction with the sun's photons, well they had certainly better be counted as comprising part of our observer. What about the atomic nuclei they associate with? Curiously, if you trace the paths of the neural signals from my retinae through to my visual cortex, you will be following electron-photon interactions, in combination with almost imperceptible gross movement of particular electrons, all the way down. The bulk of the atoms, the atomic nuclei, will play absolutely no part in the act of sunset observation, other than as a static scaffolding giving those electrons somewhere to be. Even then, it's only the outermost shell of electrons in a given atom, that play any part in this process.

Certainly at the other end of this interaction, the sun, we have a quite different process which is producing the photons in the first place. And yes, that end does in fact require some involvement on the part of the local atomic nuclei. But from that point onward, the observation event is just an electromagnetic dance, ending with certain chemical changes in my nervous system.

What makes this sequence of interactions so special? What characterizes an observation, what distinguishes it from any other situation in which photons are exchanged between electrons? Take any photon in transit from old sol. Quantum electrodynamics tells us that it can split quite spontaneously into a positron and an electron, which then recombine, eliminating each other and producing a photon. This might happen any number of times during its eight minute journey to Earth. Upon hitting the upper atmosphere, it may then find itself absorbed by one of the outer electrons of a gas atom, causing a transition to an excited state. Do any of these interactions of the photon qualify as an "observation"? If not, then how exactly do they differ from the case where that excitable electron was in my eyeball, or the middle of my head?

Much of this can be encapsulated in the thermodynamical concept of a system. When we seem to peer out at the world, observing it as we might, we treat it as one closed system - with ourselves outside of it. This works well enough for observation of everyday objects at a sensible scale, for example, the balls on a snooker table. As the system shrinks, it begins to pull me in, until I find myself trying to observe single photons, and discover that the only way I can do so is to absorb them entirely into my body. They have left the system, escaped from the experiment; or to put it another way, I have become, bodily, a part of it.

No surprise then, to discover certain corollaries to this, such as: it's impossible to measure anything without changing it. Imperceptibly perhaps, but in the end it's all just a matter of scale. A voltmeter draws a tiny current in order to operate; this current causes a corresponding drop in the voltage across the source's internal impedance, with the result that the displayed voltage is slightly different from the value prior to measurement.

Observation is interaction: all the way down.

Deal Or No Deal

One of my better high school teachers, in chemistry as it happens, had a pet theory about the symmetry of time. We are talking 1974 here, when such ideas were popular only with certain types of crackpot, and quite invisible elsewhere. One day a few of us stayed behind after class to ask him a question or two about electron orbits, and somehow we got sidetracked into this idea of his. Next thing we knew he'd produced a pack of playing cards, which he proceeded to shuffle, then demanded that I start predicting the colour, red or black, of each card as he turned it over.

I started off well. Can't remember the exact sequence, save for the fact that it had a long run of about half a dozen reds near the start, but I certainly got into double figures, somewhere between 12 and 16 cards, without getting a single guess (prediction?) incorrect. Aware of being watched by my friends, I called out every one of those colours with complete confidence.

Then I paused, saying aloud, something like "This is too freaky. I'm going to start getting them wrong now." And the next half dozen or so were indeed wrong, just as I predicted. After that, I stopped and refused to continue. For some reason unknown, I had become fearful of getting one guess incorrect!

At the age of 16 I had an undeniable desire to impress my peers, and I'm certain that had a lot to do with the outcome of our little experiment; and perhaps, with my sudden desire to stop before the first, inevitable, failure. But what are the chances of getting this sequence of results? That's an easy calculation: somewhere between 1 in 262,144 (assuming 12 cards in my first run, followed by 6 correctly predicted mismatches) and 1 in 4,194,304 (assuming 16 + 6).

Throughout the trial, I had the unmistakable feeling - consistent with my teacher's pet theory - that I was in some sense reaching a little into the very immediate future, and somehow capturing a "memory", which I would rather term a "conviction", of what colour the next card would turn out to be. The closer you are to an event in time, he reckoned, the easier it should be to "remember" - regardless of whether it's a past or a future event.

Scott Adams, he of Dilbert fame, has written about this at some length, although he frames it very differently. When he talks about affirmations, for example in The Dilbert Future (p. 246, also Appendix A), I detect the same as-yet poorly understood phenomenon, the tricking with time, the constant falling-through into particular possible futures. Recently, Noel Edmonds has made much capital of a poorly understood, mysticised and new-aged-up version of the same idea, awkwardly framed as half philosophy, half self-help guide.

Richard Feynman's Quantum Electrodynamics, The Strange Theory of Light and Matter, contains a lucid account of the summing-over-all-histories method of prediction. At any given point in space-time, a given quantum has a certain propensity to move to any other such point. A lot of these propensities cancel out; others are bunched up in a particular direction, and hey presto, if that's not just where the darned thing goes.

Propensity: might be a good term to use for the complex square root of a probability! Better than Amplitude, at any rate.

When the Lotto [UK] balls tumble on a Saturday night, all fourteen million possible outcomes are represented by such propensities. Is there any way to force these to "bunch up" in a particular direction, so that a predetermined set of six numbers comes out?

Actually the signs aren't all that good. Under some modern interpretations of quantum mechanics, all of these possible worlds cascade forward into actual existence. Picture fourteen million distinct new realities, complete new universes, splitting off in unknown dimensions from a common starting point, the Saturday night lottery machine. Each new universe contains a replica of me, and most of these - almost all of them, in fact - have not just won the lottery.

Would there be any visible, observable indications if this interpretation were incorrect? Maybe there is but one actual reality, after all. Maybe I can bunch up the fibres of propensity in my favour, perhaps by leaving lots of little notes lying around, notes whose existence, or whose observation, would make certain lottery outcomes much less likely than others?

Observation is interaction: all the way down.

The Digital Universe

The majority of physicists today, when they can be pressed to opine on the matter (and many refuse), appear to be of a consensus that our universe is a simulation. At least, that's my impression of that community, from what I've read, both in the popular science press, and here on the web. However there's so much material available on the subject, it would be fatuous to pick out one such reference to "prove" my assertion. So you'll just have to do your own research, and form your own impression.

True or not, academically popular or shunned, this has undeniably been a favourite theme of much science fiction since the first half of the 20th century, and a favourite subject of philosophers much further back than that. It's inevitably one of those possibilities that enters your head when wrestling with quantum mechanical concepts. But in either of those contexts, it can't be said to have any more validity than, say, extrapolating the model of the atom as a solar system, in an indefinite recursion, without paying heed to the many and fundamental differences and incompatibilities between the two pictures.

What brought it home to me, after more than 35 years of programming these wonderful little digital systems, was a development in Loop Quantum Gravity. Specifically, a proposal to measure the stretching out of the spectrum of light coming to us across billions of light years, to see whether the discrepancies between the red and the blue predicted by quantized space were actually present. And why should the universe be quantized? Maybe because it's nothing more than the state of a digital simulation!

It seems likely that if anything is quantized (the available energy levels of an electron, for instance), then everything will be, including space-time. And by that is obviously meant, the entire M-dimensional manifold of our being, whatever that value of M eventually turns out to be.

Now consider the digital system on which our simulation is running. From our experience of software development, our knowledge of mathematics, the availability and impossibility of various algorithms, and the success of the neural net approaches, we would probably admit that the system software of this universe is genetic in its nature and approach. And once again, when it's laid out like that, it becomes clear. Of course nature uses genetic algorithms, where else would our brains - products of these methods - have picked up the idea?

Now, can we divine any information about who might be running this simulation? If the general argument is valid, making it vanishingly unlikely that we are not such a phenomenon, then it can be applied recursively to establish that we are "almost certainly" a simulation being run by a simulation, much as recent Sims games have your little creations running their own Sims. And so on, ad absurdum.

Actually there are several ways out of this reductio, each more fascinating than the next; see Paul Davies's Goldilocks Enigma for a full treatment.

At first glance, there doesn't seem to be much that we can infer about any of those higher levels, just from looking at this great universe of ours. However, if we assume that we are a simulation with a purpose, then it becomes likely (or at the very least, rational to assume) that we are observed. Shouldn't there be implications for our ability to detect such acts of observation?

Observation is interaction: all the way down.

And Finally: How It All Fits Together

Erm... on second thoughts actually, details are left as an exercise for the reader. Don't say I'm not good to you.



Listen up, people:

Take Me With U, not Let's Go Crazy.
Say Hello Wave Goodbye, not Tainted Love.
Northern Lights, not Harry Potter.
Prokofiev, not Rachmaninoff.
Arthur Schopenhauer, not Immanuel Kant.
Pie, not cake.

Okay, carry on.

Sunday, 25 October 2009

Dog Biscuit's Trading Pages

Sorry For Any Delay

Each year about this time, I get an email from someone asking me kindly to reinstate one of my old websites; a plea that's remained unanswered before, due to my being busy with other things. Shame on me. But I'll miss that message this year; it will be bounced back to sender (we've dropped Virgin Media, losing old early adopter mailboxes like 'j.kerr' and 'yesman', in favour of Sky Broadband's unique, truly unlimited offering).

The website in question, Dog Biscuit's Yes & Led Zeppelin Trading Pages, grew, between its 1990s origins and the subsequent demise of mass CDR trading (at the hands of BitTorrent) around 2005, to become the world's fourth biggest CDR trading site for bootleg recordings (aka ROIOs: Recordings Of Indeterminate Origin) of the progressive rock band Yes - behind the similar efforts of France's Yann Clochec, Holland's Ruud Ermers, and Germany's Matthias Müller (Matze's Yesshows).

I've reinstated it here:

My Yes collection contained some 600-odd recordings, while those 3 other sites all had twice or three times that. The popularity of Dog Biscuit's Pages was as a resource for other collectors. It contains artwork links for all recordings where available, and a handy print utility for these; is searchable by artist/tour, song, keywords (date, venue, recording title, catalog number), media type, source and grade; and displays search results in five different formats, depending on the task in hand.

Thought I'd write a little about it here, as someone recently noticed this blog, "My Code Here", actually contains thus far, not one binary digit's worth of my code.

The main site is distinctly Web-1.0. All of the corners are sharp. It has a quaint, naked click counter. There are no Frames, no IFrames, no Tables, and minimal CSS which is only used to provide printer-friendly output. Everything is done with JavaScript, for two reasons: primarily because this was a learning exercise in that language, and also because its original home was a paltry 50MB of free hosting space, with no server database support.

Basically, the site functions by downloading to the browser its entire database, which is embedded in highly compressed, manually maintained, .js script files. Once there, your page or search parameters control the building of that content into HTML. Here is a sample db entry, expressed as a function call:
add('Yes', '1968', '1966-73', '', "Moments", '1CD', 'VAR', "'B-' to 'A'", '7148/10001', 'MomentsEarly',
"[RS] (BBC, 1973-11-01), [BAB|IOYAM|J] (Mabel Greer's Toy Shop, BBC 1968), [DF|BAB|FORE] (BBC 1969-70), [DF|ER|ISY] (Live in Sheffield, 1969-12-21), [WTP] (Larry Smith single, featuring Chris Squire, Tony Kaye; 1970).",
A1 + 'momentsf.jpg">Front ' + A1 + 'momentsb.jpg">Back')
Once processed into HTML, expanded and rendered, this example comes out like this:

1966-73 "Moments" (1CD) Various Sources 'B-' to 'A'

The Revealing Science Of God (Dance Of The Dawn) (BBC, 1973-11-01), Beyond And Before, Images Of You And Me, Jeanetta (Mabel Greer's Toy Shop, BBC 1968), Dear Father, Beyond And Before, For Everyone (BBC 1969-70), Dear Father, Eleanor Rigby, I See You (Live in Sheffield, 1969-12-21), Witchi-Tai-Po (Larry Smith single, featuring Chris Squire, Tony Kaye; 1970).

The script also does a few other things. It alternates the thumbnail alignment on the page, to give both a pleasing layout and an economy of real estate. It also adds mouseover hints, visible in all browsers that support these. Finally, when a recording is awarded a grade of A+, it slaps on a cheerfully yellow The Dog's Bollocks sticker, modelled above.

There exists a parallel, static site, comprising one page per artist/tour; this is what you will see if you browse to with scripting disabled. To ensure these pages are kept current, they are autogenerated periodically using a further JavaScript program, embedded in the page generate.htm. If you want to look at that code, be warned that it's full of ActiveX (for local disk access), so IE-equipped is forearmed.

The addition of Led Zeppelin and other artists was a half-arsed attempt to ensure the code remained scalable. That's impossible of course, given the highly unconventional data access design. But in the pre-AJAX ecosphere, this little site did a perfectly acceptable job of maintaining a typical boot collection, and providing useful reference resources to other collectors.

Monday, 19 October 2009

Dear Charlotte (Part 2 of 2)

What He Said:

Great to see Charlotte Hatherley's new album being chosen as CD Of The Week in the Sunday Times Culture magazine. From the article by Dan Cairns, three excerpts:

There are seven primary and five secondary notes in western music...

What [Charlotte] should really be cherished for is her trio of solo albums, of which New Worlds is the third and best...

...these are sensational songs, from an artist who remains bafflingly overlooked, but continues to dive into that tiny pool and come up bearing pearls.

That puts it so much better than I ever could, so I won't. Save to express the hope that the epithet, "bafflingly overlooked", which has already been applied to Charlotte many times, will begin to work its magic this year.

Just over a year ago one of my favourite bands, the Criminally Neglected Elbow, won a Mercury prize, and immediately began enjoying great success as simply Elbow.

Sadly the same effect doesn't seem to be working this season for my SPL team, Hamilton Academicals Nil.

To your great relief, my planned discourse on the theory and nature of progressive music has been dropped, however temporarily, in favour of simply asking you to click through and glance over Dan's article, above. It's almost enough to forgive him this howler, from his extensive Fleetwood Mac article in the same issue:

Not that things don’t remain unsaid: this is Fleetwood Mac, after all.

Seriously, who needs three negatives?

Tuesday, 13 October 2009

A Cross-Domain Conversation

RIA Security Flash!

Adobe Senior Security Researcher Peleus Uhley recently wrote a Microsoft BlueHat blog guest post, on the subject of web sites' permissions for cross-domain access, and some security issues with these arrangements:

It's interesting to see how security considerations encourage companies such as Adobe and Microsoft to work together. The MS BlueHat Conference Series in particular now has a history of "building bridges" between their developers and executives, key security program partners, and members of the security research community.

Peleus gives multiple examples of threats, based on a vulnerability introduced by cross-domain XMLHttpRequest. More generally, the gotcha to look out for is the transitivity of cross-domain permissions. Commenting on this research in the MS-SDL blog, Bryan Sullivan puts it like this:

If site A grants privileges to site B, and site B grants privileges to site C, then site A is implicitly and perhaps unknowingly granting privileges to site C.

So, let's assume I've provided cross-domain XMLHttpRequest Level 2 (XHR2) permissions, for MySite, to YourSite. Let's also say YourSite serves interactive third-party SWF advertisements, provided with JavaScript access via the allowScriptAccess parameter. Then we have this situation:

[AdSite] -> [YourSite] -> [MySite]

Obviously I never intended to give AdSite's advertisements access to MySite, but that's exactly what I've done! As Peleus notes, this is the vulnerability recently exploited by the Renren worm.

Bryan goes into some detail about the history of these issues and their mitigation, also linking to one of his earlier (April 2008) articles, provocatively titled Cross-domain XHR will destroy the internet. Try not clicking on that!

Peleus concludes his BlueHat article, "Combining research makes it easier to communicate common risks with deploying RIA technologies." The next BlueHat conference, "Microsoft BlueHat Security Briefings: Fall 2009 Sessions", is being held next week:

BlueHat v9 will again bring leading external security researchers to campus to present timely and lively presentations that showcase ongoing research, state-of-the-art hacking tools and techniques, and emergency security threats. Our main themes for BlueHat v9 will be around e-crime attacks, the exploit economy, the global threat landscape, online services, security in the Cloud, mobile (in)security, and cool tools and mitigations.

BlueHat v9: Through the Looking Glass, October 22-23 at the Microsoft corporate headquarters

Thursday, 8 October 2009

Coraline 3D Telepathy

More Geek Points

This week, Henry Selick decided to leave Laika, the animation studio he joined in 2004.

After the worldwide success of Coraline, and particularly Coraline 3D, which he directed, Henry did not share in the storm of promotions that then hit Laika. His title never changed, and he was left without a new project to work on.

Henry should be used to disappointment. This is the guy whose previous masterpiece originally came out under the title Tim Burton's The Nightmare Before Christmas. But Henry is also an all-round nice guy, who is never likely to say anything remotely uncharitable about those he works with. At most, he might be pressed to admit that the whole Tim Burton misappropriation of credit thing "...still stings a little."

This is my Coraline 3D story. It's also another in a series documenting how your geek credentials can earn you a big hug: in this case, a psychic one! And needless to say, I will of course get straight to the point immediately, as always, without any unnecessary diversions whatsoever.

Days Of Science

We begin at the Edinburgh International Science Festival in 1995, where we were treated to a memorable selection of top quality presentations.

There was Richard Dawkins, in the days when he was renowned primarily as an ambassador for the theory of evolution by natural selection, and as a champion for the public understanding of science, rather than today's media caricature of a grumpy old atheist. He was busily promoting his new book, yet still managed to diverge more than enough from his prepared text, to give us numerous new (to us) and fascinating insights into aspects of evolution. Afterwards Linda took my book to ask him to sign it - I was starstruck and incapable of approaching the good professor - and she even bought a wee chapbook, "God's Utility Function", so as to have something of her own to get signed.

There was Lewis Wolpert, similarly holding court and proclaiming "The Triumph Of The Embryo" to an equally spellbound and appreciative audience, another evangelist for the cause of rationality and enlightenment, and no less a model of earnest clarity and sincerity.

There was also a larger meeting involving many scientists and other speakers from various disciplines, all preaching urgently about the state of the planet, and the coming devastations in the whirlwind that we'd soon reap. The general feeling in the room was that the 1992 Earth Summit in Rio had been a missed opportunity, failing to grasp the real risk that human activities – especially the consumption of coal, oil and gas – could affect the earth’s environment to a hitherto unseen and potentially very serious extent, as foreseen in the 1990 synthesis report of the UN climate panel (the IPCC). “The earth’s future is in danger” was the message, and the imminent Kyoto Conference was widely being touted as Our Last Chance.

Ayers Rocks

For all that enlightenment, celebrity and drama, the one thing that sticks out most prominently in my memory of that year's festival, was a picture of Ayers Rock in Australia.

We saw it during our trip to the Royal Observatory. It was the first time either of us had seen a demonstration of full colour 3D images. Well, I mean apart from the stereoscopes we'd played with as children, those truly marvellous binoculars that accepted a disk with diametric set pairs of left/right full-colour slides, projecting a different image directly into each eye. My favourites were collections of stills from Star Trek (the original series, of course).

This particular demonstration in the Royal Observatory used simple passive spectacles, but instead of the traditional red/blue filters they used polarised glass, with the left and right "lenses" mutually cross-polarised at 90°. The room was darkened, and a succession of still images was shown via the special projector. Ayers Rock jumped out of the projection screen and landed, in dazzling full colour, in the middle of the floor.

Introducing: Little Niece & Nephew

It was the memory of this experience that made me want to see Neil Gaiman's story Coraline in cinematic 3D when it was released this year. Word was, this would be a narrow opportunity window, since the supply of modern 3D cinematic projectors around these parts is still a bit low, and the Jonas Brothers were in hot 3D pursuit.

With no children of our own, we obviously needed cover to get into the cinema, and so we grabbed Little Niece and her bro, Little Nephew. Having employed these two true professionals before, when we went to see The Golden Compass, I was confident they wouldn't blow our cover and croak that they weren't actually ours. They even sat through a pre-show pizza with us, smiling and chatting, utterly convincingly.

Linda, who quite understandably loves nothing better than to be out with the kids, naturally beamed with happiness throughout the meal; particularly when a pizza was dropped on the floor (by one of us), and immediately replaced by a free one, courtesy of the manager. You are The Hut, Renfield Street Pizza Hut, you are The Hut!

When we got to the cinema, we grabbed the middle 4 seats of the front row, and proceeded to enjoy Neil's story and Henry's replacement animation masterpiece. Needles were thrust out of the screen and into our gaping faces, strange creatures danced in the middle of the air, French & Saunders squabbled behind a curtain somewhere out of view. Our looks of wonder became set in skin and bone for the full one hundred minutes.

Looking along the row of smiles, I began to know that this would be an evening we'd remember. And although Linda was three seats away to my right, bespectacled eyes transfixed on a point halfway between the screen and her nose, I could physically feel her delight at bringing these two youngsters to this new experience for the first time. That, and all the other aspects of this day when everything went right, and nothing disappointed.

Later in the week she would say to me, "When that movie started, I just wanted to give you a big hug!" and I would reply, "Yes I know, I felt it! And I hugged you back!"

Security Digest #2

Another collection of minor articles, references, and other resources, relating to computer security generally, and to the Microsoft SDL particularly.

Installing & Using the SDL Process Template

Here's an MSDN video (WMV, 9 minutes and 4 seconds) on how to install the SDL Process Template, followed by a walkthrough on how to start using it in a new project.

The Microsoft SDL Process Template for Visual Studio Team System was created to ease adoption of the SDL by automatically integrating the policy, process and tools of the Security Development Lifecycle v4.1 into Visual Studio Team System 2008.


Most Popular Vulnerabilities!

From Virtual Tech Days, February 18th 2009, comes this combination PowerPoint / live demo presentation by Varun Sharma (Security Engineer, ACE Team, MS Information Security) enumerating and illustrating the top 5 Web App security bugs: Authorization Issues, Clear Text Secrets, Cross-Site Scripting (alone responsible for more than half of all incidents found by the ACE Team in 2008), SQL Injection, and Verbose Error Messages.

The 56.5MB, 68 minute WMV can be downloaded here.

How Do I: Use the SDL Process Template Documentation and Reporting?

This video shows how to use the SDL Process Template document templates and security metrics reporting. The built-in SDL document templates help to jump start the use of the Microsoft SDL. The reporting allows improved visibility into key security risks for the application, and the progress the team is making toward their security goals.

WMV, 5 minutes 17 seconds.

!exploitable Crash Analyzer - MSEC Debugger Extensions

Apparently that's pronounced “bang exploitable” (don't kill the messenger), and it's a Windows debugging extension (Windbg) providing automated crash analysis and security risk assessment.

The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown.

In other words it parses crash logs and gives you two important pieces of information:
  • First, it will collate all of your crashes and determine exactly how many there actually are. So for example, out of 60 crash reports, there may only be 2 or 3 actual problems.
  • The second thing it does is look at the type of crash and try to determine if the error is something that could be exploited by a malicious hacker. This means that more junior employees can work these bug issues without taking the time of more senior examiners.
There is more detailed information about the tool at Additionally, see the blog post at, or watch the video at

Microsoft SDL - Developer Starter Kit

This month's final quick link is to the July 2009 download of the SDL Starter Kit, which "provides a compilation of baseline developer security training materials on core Microsoft Security Development Lifecycle (SDL) topics."

The topics included, most of which I have covered in a little detail in previous articles, are:
  1. secure design principles;
  2. secure implementation principles;
  3. secure verification principles;
  4. SQL injection;
  5. cross-site scripting;
  6. code analysis;
  7. banned application programming interfaces (APIs);
  8. buffer overflows;
  9. source code annotation language;
  10. security code review;
  11. compiler defenses;
  12. fuzz testing;
  13. Microsoft SDL threat modeling principles; and
  14. the Microsoft SDL threat modeling tool.
Each set of guidance contains Microsoft Office PowerPoint slides, speaker notes, train-the-trainer audio files, and sample comprehension questions.

That is all.