Wednesday 16 December 2009

Security Digest #4

This month's Digest is just a little earlier (and just a little shorter) than usual, because of the holidays...


Get The Best Security You Can Afford

Eric Lippert's blog, Fabulous Adventures In Coding, is often among other things a great source of insight into the way the C# compiler works. That's the chief reason why it's a personal favourite of mine. But as its title suggests, Eric's interests and expertise extend into other areas.

On his last summer holiday, for example, Eric used an incident at an airport to digress into analytic queueing theory. And just this week, he's taken an unexpected diversion into some very basic principles of security systems. Click through to see how RSA cryptosystems can be misapplied, providing an illusion of security - with no substance. And he ends with so many excellent bullet points, that you will cower in fear.


The CAT.NET 2.0 Configuration Analysis Engine

Last month I looked at the InfoSec Assessment & Protection (A&P) Suite, which had just been released. Maqbool Malik has provided a fully detailed guide to the Configuration Analysis Engine of its Code Analysis Tool, CAT.NET v2.0:


And from Channel 9, there's this video of Maqbool Malik and Anil Revuru (RV), from Microsoft Information Security, talking about the new release of this tool:



On Security Error Prevention in Development

Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC is a Microsoft paper discussing Security By Default, one of the core SDL principles. Also, a very instructive account of how the Windows Live Team adopted the ASP.NET MVC framework when developing the services that are included in Windows Live, and how their approach helped to prevent developers from making security errors:



BlueHat v9 Brings the Looking Glass to You

Finally this year, the session and interview videos from BlueHat are now available on the TechNet page:


SMS and other attack vectors on pocket-sized devices were a prominent area of comment this year, somewhat predictably; and equally so, The Cloud, and Software + Services (S+S).


That's all from The Padlock for 2009. Have a Security Strategy, and a Happy new Year!

Monday 7 December 2009

The Dogma Song

I've Been In The Loft

Rewiring the bedroom lighting, and fetching down the Christmas decorations. I found this: a mildly amusing, language-game lyric, written in 1979 - aye, three decades ago! On an electric typewriter! - written, as I was saying, at the time when my good friend Tom Fox, philosophy scholar of this parish and a great fan of the writings of Thomas Aquinas, was leaving these shores to further his studies in Rome.

Utrum Omnes Lex Humanitus Posita A Lege Naturali Derivetur
A young Italian student, he
Was being where he shouldn't be;
And while he being was, you see,
A prefect leaped down from a tree -
Up which, he'd every right to be.

Said him to he, "And what gives you
The right to don't as Romans do?
For up there, down here, I did view
Your trespassing, and heedless to
Such penalties as might accrue."

But Foxy, with a wily look,
Knew he could counter this rebuke;
And from his ample cassock, took
All fifteen volumes of the book
From which this poem's title's took.

"You say that I'm at fault, because,
Down here, with you up there, I was.
Your reasoning is full of flaws!
Which says, among your Roman laws,
Where I can't plant my fox's paws?"

The stage was set; in sequence, they
Produced their books, and had their say,
With eloquent verbosity.
So it continued, night and day,
They'd curse and argue, fight and pray,
And neither man has given way.
That's why, until this very day,
You'll find them on the Cassian Way,
Or any map of Italy.

Copyright © 1979 by John M. Kerr.

This is my original text, including the mega-pretentious title, which I still like. Later, the "poem" became a "story", got itself some choruses, renamed Dogma, and sung to a tortured rearrangement of Benny Hill's Ernie (The Fastest Milkman In The West). Tortured but humorous, as the odd number of lines forces each verse to end with an anticlimactic fade...

Why no, actually. No, in fact I have no plans to record it for YouTube. Seriously. Shut up.

Tuesday 1 December 2009

On Quines

Writes Code Which, When Run, ...

This is mind blowing. Yusuke Endoh has written a very interesting computer program. In fact, he has written a whole series of them: eleven in all.

What's interesting about these programs is that, first of all, each of them is written in a different computer language. That fact alone qualifies him as a clever chap. Then there's the range of languages he used: some are fairly common (Ruby, Python, Perl, C, Java), others somewhat more exotic (Lua, OCaml, Haskell), still others downright esoteric (brainfuck, Whitespace, Unlambda). Clearly, he's actually a very clever chap.

But when you look at his set of eleven little programs, each in its own different language, and when you realise exactly what they do, then you are forced to conclude that Yusuke Endoh is in fact a very, very clever chap. Because what every program in this set does, when you run it, is to print out the source code of the "next" program in the set.

Imagine these eleven programs arranged in a circle. Each one, when run, prints a copy of the source code of the next one.

I suppose you could look at it another way: he actually only had to write one of these programs. Then he could run that to obtain the second, then run the second to obtain the third, and so on. But wait a minute, doesn't that mean that when he runs the eleventh program, its output will be just the source code for the very first one?

Yes, that's right. There was actually no need for him to write anything at all. These are eleven self-generating sources. What a lazy guy!

Picture: MC Mechanic by Shane Willis.

Here's the link to his blog article. In the (English!) comments you'll see that he actually wrote, in the sense of "putting effort into the crafting of", two of the sources, the diametrically opposed Ruby and the Haskell; then effectively infilled to complete a cycle:


A computer program which prints out a source code copy of itself is called a Quine, after America's most influential Harvard philosopher and logician, Willard Van Orman Quine. So, this is a kind of generalisation of a Quine program.

Here's another description of Yusuke-san's achievement, for those like me whose knowledge of languages does not extend to Japanese. Note the comment from Professor Quine's son Douglas, at the foot of the article:


The association with Quine comes from his famous self-contradictory predicate, yields a falsehood when appended to its own quotation, which he used to investigate the linguistic anomalies underlying Russell's Paradox. Here of course we are concerned not so much with the paradox, as with the self-referential nature of the sentential fragment, which mirrors the self-replicating behaviour of the code.

Historical Note

I was lucky enough to enjoy brief correspondence with Professor Quine in the 80s, and also more recently with his son Dr Douglas Quine, who recommended to me Quiddities: An Intermittently Philosophical Dictionary as a sampler of his father's humour, insight and intellect.

And that's a great read; but my favourite Quine works are still The Ways Of Paradox and other essays, in which I was first exposed to the genius of Alfred Tarski, and the Lambda Calculus, at a dangerously young age; and Methods Of Logic, which first convinced me computers could solve problems using predicate calculus (though it wasn't until several years later that I finally got my hands on a Prolog system).

Decades after you've absorbed whatever technical content you needed from their pages, you can still reread those books for their astute, elegant, lucid and entertaining prose style.

Tweets - November 2009