Friday 31 December 2010

Security Digest #15: 27C3 Special

The 27th Annual Chaos Communication Congress

With the application of my superior skills of decryption, I deduce that this logo says 27C3. Well, the 27th CCC has just happened in Berlin, spread over the last four days (Monday 27th to Thursday 30th December). Required viewing for all security professionals, the conference was broadcast live on the Internet, which is where I caught the absolutely riveting presentation of Sony PS3 Security Epic Fail. More on that later.


Blah, blah, blah...
  • GSM eavesdropping is now easier and cheaper than ever. Wow, I thought they'd have patched that one by now. Not. One of the most interesting aspects of Tuesday's presentation was the researchers' casual references to two-terabyte rainbow tables. Now we really are living in the future. The use of these tables of precomputed encryption keys is as old as decryption itself, but their sheer size allowed the session's secret encryption key to be found in less than 20 seconds. The presenters also used various software (open source), one laptop, and for their network sniffers: four $15 telephones.
  • FireEye security researcher Julia Wolf discloses a plethora of new PDF vulnerabilities. Actually this one is new (in the detail) and worrying indeed (in scope). I read it and wept, nearly.
  • WikiLeaks defector details new whistle blowing model, OpenLeak. Well, Wikileaks itself was born at CCC in 2007, in a presentation by Julian Assange; so this is an entirely appropriate time and place to announce that. Good luck with your new venture, you former WL operatives, I'll see your new site and raise you 9,000 others. I mean, shouldn't we be calling this Hololeaks already?

Sony FB Part 3

Required viewing for all Sony development engineers. And I'm quite certain every one of them has watched this by now.

As a PS3 owner, I should have a vested interest in Sony's ability to protect their private walled and perfumed garden of game software development. That I do not in fact feel that interest, is a consequence of some cold industry facts. Specifically:
  1. Protected development is no longer directed at creating the staggeringly imaginative games found on previous console generations - Zelda Ocarina on the Nintendo 64 being both archetype and zenith - but instead aims for common denominator, hyper-realistic sandboxes or short span missions, quite devoid of creativity. In fact...
  2. One of the best things to come out of Sony last year was a Sly Cooper retread, retrofitting HD textures to the identical set of polygons first marketed to us (abysmally marketed, in the case of SCE Europe) way back in 2002; adding some unbelievably meh Move mini games, and trumpeting 3D capability. After all, who's going to remember the original Sly 3 from 2005, arriving on the PS2 already replete with anaglyphic 3D and free blue-red specs? Meanwhile, 2011 seems set to repeat such repeats, with an HD/3D reskinning of Ico & Shadow of the Colossus poised for imminent release.
  3. More than most electronic conglomerates, scofflaws Sony appear particularly to despise their customers, treating them with the same apparent level of dismissive contempt as the corporation exhibits towards all consumer protection legislation, internationally. Examples are legion, and entire websites exist solely to bear testament to this single proposition.
Therefore it was with the squealing glee of a wee girl, that I found and devoured the brilliantly presented 40-minute CCC talk Console Hacking 2010: PS3 Epic Fail, presented by fail0verflow members bushing, sven, marcan and segher...

After a little history, the ubiquitous Michael Steil appeared in cameo to present statistics relating to the time taken to hack various consoles, and supporting his assertion that any console without Linux will be hacked to run it within its first year. The apparently atypical run of luck enjoyed by the PS3 (four years) seems to have been due to Linux already being officially available there. But Sony, famously and illegally, removed that feature; now their security has likewise been annihilated. Again, within that twelve month window.

Interesting though, how this narrative thread fits into an emerging pattern of virtual terrorism (cf the many DDoS attacks recently launched both against and in support of Wikileaks). Upsetting the Linux/hacker community looks a bit like pissing off 4chan, or anonymous, in that, you probably don't want to do it. Anyone can see that DDoS attacks in support of say, Wikileaks, are just as indefensible as attacks on Wikileaks itself; yet they continue, trumpeted by the same, sometimes naive, mostly disingenuous, idealistic justifications.

Anyway (removes equivocation apparatus)...

The core of fail0verflow's presentation featured a table of security features implemented on a sampling of consoles. This was followed by a step-by-step account of the group's deconstruction and reverse-engineering of each of these, by means of spectacularly varied and creative vectors of attack. At the finish, as evidenced by the same table, the wretched PS3's security features had been comprehensively deleted, and you could feel nothing but pity for it:


There's a lot to love about this presentation, but the highlights for me were (1) the playing of the Sony "Trophy!" bell and icon each time another layer of security was breached; and (2) the hilarious specific details of one particular attack, the compromising of ECDSA signatures.

This latter was deliciously presented by fail0verflow member and future standup legend segher, who self-deprecatingly explained just enough about this solid encryption scheme to make it obvious to any high school student, that a certain private random number must be truly random.

Actually, he didn't explain that at all. That would have insulted the intelligence of his audience of hackers. Instead he showed the relevant formula, then observed "... but m is supposed to be a random number. And for some reason, Sony uses the same random number all the time." Instantly, the overhead display changed to show two simultaneous equations. The hall erupted in a gaggle of hysterical laughter, and the kind of rapturous and loud applause that actually hurts your hands and feet.

Just to rub salt in the wounds of any Sony devs watching, he showed us his attempt at reverse-engineering Sony's prang:
// Sony's ECDSA code
int getRandomNumber()
{
return 4; // Chosen by fair dice roll; guaranteed to be random.
}
As I mentioned above, there's much more very clever stuff in the presentation; but come on, who could ever follow that? See you next year!


Security Digest is brought to you by the inimitable flavours of Talisker, the only single malt scotch whisky from the Isle of Skye. Actually that Glenmorangie fae Tain's no hauf bad an' all. Aye, and the Lagavulin. Which isnae a patch on Highland Park, incidentally... Happy New Year! Hic.

Thursday 23 December 2010

Don't Hit Me With Your Modem

Today's Apposite Dilbert

Found a Hayes fax modem in the miscellaneous cables & assorted hardware sports bag, during the annual clean & throw out. Here's a picture of it:

Dilbert.com

Also found a couple of wireless routers, two Sharp pocket computers from the 80s, a pre-USB Laplink cable (wow, serial RS-232C and Centronics parallel!), it's all good...

Dilbert ©2010, United Feature Syndicate, Inc.

Thursday 16 December 2010

Quick Security References

One New QSR


Jeremy Dallman of the Microsoft Security Development Lifecycle (SDL) recently announced the availability of a new Quick Security Reference (QSR) document.

These are papers which look at specific security threats from certain particular IT job role perspectives, viz. business decision makers, architects / program managers, developers, and testers. Jeremy describes the place of these documents in the Security Development Lifecycle as follows. If a security related attack is like being thrown out of your plane into free fall, and the SDL is your parachute, then QSRs are a quick and easy way to find the D-Ring...

The new paper covers the subject of Exposure of Sensitive Information. This is not one of the catchy exploit-named areas of security, but it's an increasingly important aspect of your strategy in times when the failure to protect information and its accidental disclosure are increasingly being targeted in the search for vulnerabilities.

Our company has ISO 27001 certification as a business, but we are still just at the very start of the process to introduce adoption of the SDL maturity levels (below) into our software design, development and test practices.


Along with the extensive SDL Implementers' Guides, these excellent little quick reference documents - and this new one in particular - will be extremely useful training resources in the coming months. Even more so in fact, now that all SDL documentation is available under a Creative Commons licence. That includes for example, the flashy colour graphics in this article!

Two Old QSRs


Reminder: the first two QSRs cover the perennially popular subjects of Cross-Site Scripting and SQL Injection, topics chosen because they represent the most common attack types that almost any Development or IT Professional team will encounter today:

Friday 10 December 2010

Book Review: Mean Deviation

Four Decades of Progressive Heavy Metal

Without deviation from the norm, progress is not possible.
- Frank Zappa (dedication).

On June 16, 1902, just as Gottlob Frege's new Grundgesetze der Arithmetik was going to press, Bertrand Russell wrote to him, with catastrophic, utterly devastating news: drummer and co-founder Mike Portnoy had just left Dream Theater.

No, that's not right. Let me try again...

In 2008 a truly worldwide survey of more than 36,000 people (three dozen kilopeople!), the largest of its kind ever undertaken, made the first ever serious attempt to correlate people's musical tastes with their personality types. Led by one Professor Adrian North of Edinburgh's Heriot-Watt University, the research uncovered more than one fascinating fact about us, the musical styles with which we prefer to be identified, and what these say about our characters. But that is not the impression you'd have taken from the headlines at the time.

Almost unanimously, journalists and reporters focused on just one single correlation from that report; one which, for whatever reason, they found to be quite unexpected, striking... astonishing. This was the correlation between classical music lovers, and heavy metal maniacs.

In fact, excluding only age differences, the researchers had found that devotees of these two musical styles share "virtually identical" personality traits. Such as being much more creative than other people*, and being "at ease with themselves", although "not exactly outgoing". Musically and psychologically adjacent to both groups, and giving perhaps some clue as to the nature of their common ground, we find the fans of so-called progressive music. Forever enraptured by technical proficiency and the grand scale of the orchestral, in recent times they have increasingly found their genre migrating due north in a heavy metal-led diaspora.

<diversion>

Some would argue that the classical, the progressive, has been in heavy metal's DNA from its very inception. The entire genre was born in Britain, they'd say, on the cold morning of Friday 13th February, 1970, when the first three notes of Black Sabbath (the opening track of the eponymous debut album, Black Sabbath, by a Birmingham band whose name temporarily escapes us) oozed and spilled out on to the rug, bleeding - in the words of its clever cover art poem, Still Falls The Rain - before a gesticulating death.

Those first doom laden notes, and in fact most of the song, comprise musical theory's infamous tritone interval. Branded Diabolus in Musica or the Devil's Interval by medieval musicians, this eternal technical oddity was otherwise virtually unknown in pop and rock. Admittedly it appears in The Simpsons' theme, but that's quite a rare pop culture appearance. Historically however, it has cropped up in many and various classical guises, from the 19th century onward. Erm, according to those Black Sabbath fans, that is.

</diversion>


Now at last we have the definitive document, the one that records the detailed co-evolution of these disparate musical styles. Today we can finally read the history - some are already calling it the Bible - of progressive heavy metal.

This book's credentials are impeccable. It's edited by Ian Christe, whose own Sound of the Beast: The Complete Headbanging History of Heavy Metal has itself remained more or less definitive in its own subject area, ever since its first appearance as a hardback in 2003. Even more importantly, this new account is written by the former (1996-2001) editor of the Metal Maniacs fanzine, already a highly regarded, respected, and revered authority in the field. Jeff Wagner's book was always guaranteed to be seminal and enthusiastically received, at least from the heavy metal half of an overall perspective.

That it also succeeds quite so brilliantly in charting the convolutions of progressive rock music, with its increasingly intertwined and eventually shared destiny with heavy metal over those decades, is a fact first attested to by the involvement of none other than Porcupine Tree's Steven Wilson in the title's launch. Steven contributes the foreword to the book, as well as the prime and essential tribute: "We now have a definitive book on the relationship between metal and progressive music."

Sneak A Peek

Typical Amazon reviews concentrate on a roll call of the band and personnel names mentioned in the work. I'm looking for better metrics. A page count of 384 may be a nominally useful measure of the length of the work, but an appreciation of its depth can be gained immediately from the size of its index: eleven, full, two-columned pages. And a still better gauge is actually to view the full content of that index, which is available as a PDF download here. That's your roll call right there, that is, and it's particularly gratifying to realise that the entries for Fates Warning and Rush are actually longer than Dream Theater's! Here's a guy who really and truly knows his musical history...

There's a sample extract from Part II: The Science of the Day, chapter five, Passing the Threshold, available in PDF here, just to confirm your suspicions about how painstakingly well researched is Jeff's labour of love, his tribute to the creative artists involved in this fascinating tale.

Musical Structure

Befitting the complex musical forms whose development it describes, the book sports a considered and well thought-through top level framework. Steven Wilson's foreword leads into the author's prologue, where he sets the scene, hinting at the inspiration, the seeds and roots of the book, in his own reaction - as a fan - to Voivod's controversial (and widely misunderstood) sixth album - 1991's Angel Rat. And perhaps more significantly, his roommate's (also a big Voivod fan) diametrically opposed reaction to the same. Jeff saw in this dispute, in the rejection of the band's new direction by such reactionary, conservative fans, the true definition of progressive music.

Following this, the main body of the book is divided into five major parts. Here I'd like to reproduce its Contents section, for the purpose of providing each chapter with a pithy summary paragraph. Please keep in mind that these descriptions do nothing more than sketch out the broadest narrative arc of a work, whose substance is rather to be found in the fascinating level of detail in which Jeff teases out the offshoots and foliage of each main branch. You have to buy the book to get that!

Part I : Atmospheric Disturbance

The groundwork is traced, from the first saplings of metal and prog in the 60s, to the digital revolution in music, and the 90s explosion of progressive heavy metal.

1. Invention / Reinvention.

Almost inevitably in hindsight, we start not with Black Sabbath, but with the shock of 1969's King Crimson opening at Vermont with 21st Century Schizoid Man. Having thus given adequate justification for his book's subtitle, Jeff then goes still further back to enlist Zappa's unprecedented double album Freak Out! from 1966 as the second half of a platform, on which to introduce a mass of later 60s and early 70s names; the pioneers of the first progressive rock. Through this whirlwind retelling, Robert Fripp repeatedly makes clear how he regards much of King Crimson's output, both then and still on 1974's Red, in retrospect as heavy metal proper.

2. All Moving Parts.

Chapter two sees Black Sabbath receive their due recognition as the first heavy metal specialist band, while their fifth album, 1973's Sabbath Bloody Sabbath, gets a nomination for the first ever progressive heavy metal album - due in some part to the keyboard and arrangement duties performed in the studio by a classically trained Rick Wakeman. Meanwhile, in an adjacent debate, just exactly who did first coin that term for what Black Sabbath, Led Zeppelin, Deep Purple et al were now starting to do? Major branches explored here include: Rainbow, Judas Priest, Scorpions.

3. By-Tor at the Gates of Delirium.

And already we've reached the ambitious, ofttimes Ayn Rand-inspired, epic song craft of Rush, whom Jeff credits with the most successful hybridization of prog rock and heavy metal thereto achieved. This entire chapter belongs to the Canadian trio, whose 2112 remains pivotal in prog metal.

4. Open Mind for a Different View.

The groundwork is completed by a survey of the biggest purveyors of "smarter, more sophisticated metal to the masses" in the 80s - principally Iron Maiden, Mercyful Fate, Metallica and Megadeth. As elsewhere, the significant influences on these are well researched and documented, via live contemporary interviews wherever possible.

Part II : The Science Of The Day

5. Passing the Threshold.

Also, in a sense, the torch. True prog metal arrives fully formed, from America, in the definitive guise of Washington State's Queensrÿche and Connecticut's Fates Warning, whose intertwined destinies dominate this, the publicly viewable preview chapter. An amusing sidebar titled "What If?" speculates on the alternative prog metal universe that would have sprouted, had Ron Jarzombek (later of Texas math rock legends Watchtower) succeeded with his tape audition for Fates Warning. Conclusion: actually, things would eventually have worked out pretty much the same.

6. Killed by Tech.

Ah yes, Watchtower. The birth of tech metal. I have no words for the mighty Watchtower. Except... uncompromising, mathematical. And, well, let's see, bat shit crazy. Luckily, Jeff does have words for them and their ilk; well articulated words, too. In fact, I read his very description of the genre as itself a labour of journalistic love. Once again, don't miss the fascinating and funny sidebar, "Prog on a Pogo Stick". We are still waiting for Watchtower's third, the doomed Mathematics; but here, Jeff does give us at least a little hope.

7. A Constant Motion.

Sure, there's a lot more to prog metal than Dream Theater; but hey, they're far and away the biggest kid in this playground. So many and varied superlatives run true of this band, that you sense Jeff had trouble in containing their story to a single chapter. Yet contained it had to be, in a book whose watch word after all is diversity. This chapter contains that one fatal quote, hinted at in my introduction above: "... a union that still shows no signs of relenting." More on that later.

Part III : A Quantum Leap Forward

There are many threads to follow from the early 90s, "going forward". In this section of the book, Jeff splits them both temporally and geographically into five closely related chapters, subtitled "Sublimation from Underground." The result is a well organised, well analysed record of this tumultuous and potentially confusing period of development.

8. Sublimation from Underground I: Voivod & Celtic Frost

Watchtower's Jason McMaster in turn passes the torch to Celtic Frost's Tom G. Warrior, while Canada's Voivod rise from the underground to the acclaim of critics like Cynic's Paul Masvidal; "metal godfathers" Lemmy and Bruce Dickinson; and, erm, Ryan Adams. The familiar sidebar morphs into a four-page discourse on 90s hybridization and genre-box disintegration.

9. Sublimation from Underground II: Europe

That's the continent of course, not the glam rock band. Voivod and Celtic Frost had Berlin-based Noise Records in common. Jeff uses this as a springboard for the exploration of related European bands, including Switzerland's Coroner; Germany's Sieges Even, Mekong Delta, Destruction, Deathrow, and Atrocity; then similar lists in turn from Austria and Finland. Sidebar: Mekong Delta's reworkings of classical compositions. Nice.

10. Sublimation from Underground III: North America

San Francisco is prolific. In fact, California; no, make that the West coast; and the midwest; hell, all of North America (and Montreal too) is breaking out in metal. Jeff picks out two midwestern bands in particular - Anacrusis and Realm - for their still resonant debut offerings, and their refusal to bow to the new orthodoxy of Metallica. Yay!

11. Sublimation from Underground IV: Florida

The explosion of death metal from Florida in the 90s is remarkable, as Jeff makes abundantly clear in this whole chapter dedicated to this one sunshine state, finding within it much variety and deviation from the headlong headbanging stampede. This chapter happens to straddle the midpoint of the book, and so coincidentally contains the 16 pages of full colour plates. Wow, look at San Francisco's Hammers of Misfortune, I'm just sayin', must give them a listen soon...

12. Sublimation from Underground V: From 2112 to 1993

Jeff identifies a sea change in 1993: the death of death metal, at the strangling hands of grunge. He further identifies three creative high spots that ultimately got smothered in the carnage: Spheres by Dutch pioneers Pestilence; Believer's Dimensions; and Cynic's Focus. All three bands would follow these releases with a commercially imposed, 15-year hiatus. And yet this one year remains to this day remarkable, for the sheer number and variety of new and/or evolved bands suddenly innovating in the genre (a fact borne out in the sidebar, 1993: Year of the Eggheadbanger).

Part IV : Genetic Blends

13. Deviation or Derivation?

Historical review time: why prog was dying in 1992, and why Dream Theater made such a positive impact crater. So begins a retrospective chapter, deeply analytical, and with the expository skill of the lifelong observer and specialist, yielding his tools: economics; fashion; and ultimately, perhaps for the last time ever, the thoughts and actions of enterprising new record label bosses. Pain of Salvation and Devin Townsend emerge as creatively, contemporarily, influential.

14. Swedish Oddballs

Yet another country gets the by-now familiar treatment of analysis; history; review. The unexpected prevalence of Sweden in the field of "grisly, violent metal" leads through the frustrations and reactions of small town life, via Therion and Edge of Sanity, to a foreshadowing of the prog metal gods Meshuggah and Opeth. Just recently I realised how many more of my favourite musical acts hail from this Scandinavian land. But on reflection, it would probably have been quite inappropriate (despite endorsements from both the ubiquitous Steven Wilson, and Opeth's Mikael Åkerfeldt) to include Abba. To say nothing of The (thoroughly and comprehensively metal influenced) Cardigans, nor yet of their beautifully talented vocalist Nina Persson's solo project, A Camp. Oh well.

15. The "Weirding" of Norway

Not so much prog, more black metal; Norway's main contribution to the genre is also surprising in its intensity and ubiquity. At this juncture, I must confess that I have pretty much avoided this sub genre personally, almost completely in fact. That's entirely because of the actions of one particularly murderous and maniacal psychopath. Accordingly, I've skipped most of this chapter too. Maybe I'll discover this country musically one day, when I've fully disassociated its music from the violence. But for now, on the basis that I've no knowledge with which to judge this chapter objectively: no review.

Part V : Into Data Overload...

16. The Expanding Universe.

Jeff identifies another sea change in 2000 - this time, using the actual phrase! woohoo! - whereby such challenging music as that produced by avant-garde bands like Japan's Sigh, or maybe America's Kayo Dot, could gain mainstream acceptance. This was one of the most entertaining and fascinating chapters for me. Meshuggah finally get their thoroughly deserved and warranted extensive treatment; Opeth too; whilst the inventiveness and popularity of Tool and Mastodon are justly celebrated.

17. A Way Out from the Way-out?

The final summing up is a complete pleasure to read, the history of progressive heavy metal music in review. Jeff repeats his Gottlob Frege moment, remarking that "In 2010, Portnoy [and] Dream Theater ... are in a comfortable position." At the time of writing, of course, those four bootmark impressions had yet to appear on Mike's arse - in the words of this chapter's title, on his Way Out. Notwithstanding, the final chapter is a beautiful conclusion to a fantastic account of this form of contemporary art.

Brass Tax

Finally, an epilogue and three fascinating appendices round off the work; each to my mind hinting at a potential sequel. Please!

The writing style has been dynamic, actively invoking the personalities not just of individual musicians, but of executives and organisations, bands, towns, epochs in time, musical genres and individual audiences. And despite occasional forays into the darker aspects of the music business, into human weaknesses and addictions, the book's emphasis is always, consistently and correctly, focused on the evolution of its musical forms.

Through it all, often unnoticed in its metamorphoses, the uniquely malleable music grows, develops, matures. It casts off old skins and grows new armour. It splits and fractures, throwing out new offshoots, whole hierarchies of new life. A bewildering tapestry of sub-genres, and certainly a great many new follow-up bands, await most readers, almost completely unaware of just how much they are still unaware of.

In its proper historical perspective, Progressive Heavy Metal is destined to be enshrined as one of the greatest, most evolved, varied and significant, and most artistically important, developed and valid, offshoots of Rock. That fact can become only clearer with time. This beautiful, highly authoritative, truly exemplary book is its illuminated manuscript; its codex; its definitive work of reference; its testament and tribute.

“One thing prog metal certainly is, is metal. Hard and bold and brash, but refined, adulterated, and mutated; it is heavy metal taken somewhere illuminating and sometimes bizarre.”
- Jeff Wagner (author), interviewed on Noise Pollution.

Publisher Bazillion Points have come through in the quality department, with photographs, and incidental graphics, being particularly well reproduced; but also, equal attention to paper and print. Which is just as well; this one will have to stand up to multiple readings, no doubt at all about that. Update, Dec 30: Told ya! I've now read it twice, hence this much expanded & updated review. The only question I have for the publisher is: for such a seminal, pathfinding, and goddammit resolutely well researched and significant work as this: why, oh why, no hardback edition?

Finally, for a quite knowledgeable and much more critical commentary on this book, try the Poetry of Subculture blog of Greek graphic artist Telemachus Stavropoulos, at http://poetry-of-subculture.blogspot.com/2010/12/jeff-wagners-mean-deviation-four.html.

* Jazz fans also received honourable mention for creativity!

Mean Deviation: Four Decades of Progressive Heavy Metal
Author: Jeff Wagner (former editor, Metal Maniacs)
Foreword: Steven Wilson (Porcupine Tree)
Artwork: Michel "Away" Langevin (Voivod)
Paperback: 384 pages
Publisher: BAZILLION POINTS (23 Sep 2010)
Language English
ISBN-10: 0979616336
ISBN-13: 978-0979616334

ИѺ ₡Ħℜℐ$✞ℳѦϟ ШĦЇℒ€ ℑℳ ♈ѦℒḲЇℕḠ

By M△S▴C△RA

Found earlier this week on Warren Ellis's blog, thought I'd put another copy of it in here so I can easily find it again (web searches for Mascara failing as yet to yield the desired results):

ИѺ ₡Ħℜℐ$✞ℳѦϟ ШĦЇℒ€ ℑℳ ♈ѦℒḲЇℕḠ by M△S▴C△RA


Hmmm, lovely. I'm hearing early Faust, Zeit-era Tangerine Dream, and contemporary ambient production artifacts... also notes of lemon, cinnamon, coarse grade abrasives, a marzipan of nostalgia... tell you what, just for a bit of context, and since their sixth studio album Lisbon came out less than three months ago, let's also remind ourselves of The Walkmen's 2007 performance of this piece, at Williamsburg Music Hall, NY:



No Christmas While I'm Talking was (still is) from their second album, 2004's critically acclaimed Bows + Arrows. The full effect of the song is only realised when you know the words. Here they are.
When I was told you lied to me
I hung my head in shame
When I was told you were cheating me
I bit my lip in pain

So back up back far away
And you better know now just for a little while
Do it one more time just for a little while
Lyrics are copyright © 2004 by The Walkmen.

Wednesday 8 December 2010

Microsoft's "Do Not Track" Response

IE9 Extreme Preview



On December 1st, the American Federal Trade Commission released its report on consumer privacy, the catchy "Protecting Consumer Privacy in an Era of Rapid Change" (PDF). As detailed in the commission's press release, there are two major talking points in the report:
  1. a proposed framework to balance (a) consumers' privacy interests, with (b) innovation relying on consumer feedback to develop new, beneficial products and services;
  2. a suggested “Do Not Track” mechanism, probably a persistent browser setting, providing control over collection of data about users' online searching and browsing activities.
Microsoft were quick off the mark, with Chief Privacy Officer Brendon Lynch responding that same day, via the legal and policy On The Issues blog, thanking the FTC (note: they also collaborated with the Article 29 Working Party in the EU) for the opportunity to participate in the roundtables forming the basis of the report, and after bigging up a little IE8, promising that Internet Explorer 9 will continue this focus and leadership on enabling our customers’ choice and control with respect to their online privacy, and to support the FTC’s continued work to engage all interested stakeholders on these important issues.

In the follow-up, Chief Privacy Strategist Peter Cullen presents a considered review of the issues, and of events leading up to the announcement of a Tracking Protection Feature in IE9, whence the above video demonstration.

Via: Associated Press.

Wednesday 1 December 2010

Tweets - November 2010

Tuesday 30 November 2010

Strangely Reassuring


Update (Dec 13): Bonus Material - On Ledes

When Warren Ellis saw the New Scientist article Mystery 'dark flow' extends towards edge of universe, he reacted to its opening sentence, "Something big is out there beyond the visible edge of our universe", with the immortal and appreciative "Now that’s how to write a fucking lede."

Now in his Lede Of The Day, he makes his own contribution to the Plain English Lede society, in his reaction to the somewhat conservatively stated arXiv article, First Observational Tests of Eternal Inflation:
Let me translate this lede from arXiv for you.
Evidence that our universe has been struck by four other universes.
I hear the faint rustlings of a new meme... following the Chuck Norris template. Compare:
  • When Chuck Norris crosses the road, the traffic looks both ways.
  • Superfluous adjectives, particularly colours, avoid Warren Ellis.

Tuesday 23 November 2010

Ravish

Brash Triple Bass, Brass & Bash

One evening last week, I was visited in succession by a brace of bassmen (a double bassist, and this guy with a Fender Precision), three brass players (baritone, Eb alto and Bb cornet), Sir Patrick Moore and his brand new vibraphone, a monocymbalic percussionist, and the bongo-bedecked ghost of Richard Feynman. I had to work quite fast to keep them all entertained, tossing off this three minute accompaniment to an imagined 70s cop series:


"Ravish" by John M. Kerr.
Creative Commons Licence: Attribution-Noncommercial-Share Alike 3.0 Unported

Like my earlier Drummer's Hashpipe, Ravish started out as a bass guitar exercise. But rather than demonstrating how to build a "walking" bass figure, this time the goal was speed and accurate fingering. When the open E minor pattern is mastered, it can be transposed up a tone for a bit more of a challenge. The technical bass focus does mean that headphone listening is recommended over speakers. Srsly, the cans.

Tuesday 16 November 2010

Security Digest #14

Just a few brief updates to get through this month, here we go...


The Ultimate Stuxnet Update

It was designed, according to Wired's Kim Zetter, to very subtly and specifically sabotage - without noticeably breaking - the very high speed centrifuges used almost exclusively in Uranium enrichment. And even then, only at plants equipped with 33 or more frequency converter drives. Of a particular kind made by either Teheran's Fararo Paya, or Finland's Vacon. The specific attack pattern also depends upon the distribution, i.e. the relative abundancies, of Iranian and Finnish converters, with the majority deciding the type of attack.

Stuxnet infections began in January 2009. Six months later the Iranian facility at Nanatz suffered a serious incident, disclosed via Wikileaks. Around that time, one sixth of the country's almost five thousand operational centrifuges were inexplicably shut down.


Malware Defeated - Golden Age Arriving

Just kidding. Actually Imperva's annual report "Security Trends for 2011", just published, predicts an increase next year in state-sponsored attacks like the one described above, together with similar increases in Man-in-the-Browser (MitB) Attacks, mobile malware, and consolidation of the "hacking industry".

Also predicted are greater transparency in the security arena; increased emphasis on social network privacy and security (Facebook are you listening); cloud-based data security technologies; information security as a business process; and a convergence of both security and privacy regulation.

Full Imperva report (requires registration): https://www.imperva.com/lg/lgw.asp?pid=425


Security Strategy: From Requirements to Reality (book review)

Not my review this time, but security book writer and serial reviewer Ben Rothke appears very impressed by Bill Stackpole and Eric Oksendahl's "incredibly important and valuable new book", rating it 10/10, and labelling it "One of the best information security books of the last few years."

Vital statistics: the book comprises two main sections: Strategy (chapters 1-6), explaining a high-level overview of strategy, then going on to strategic planning; and Tactics (chapters 7-14), where specific objectives are achieved through procedures and sets of actions.

And here's the quote from Ben that I'm hoping will tease out of my employer a £50 budget for my own copy:

Those who are serious about information security will ensure this is on their reading list, and that of everyone in their organization tasked with information security.

Read Ben's full review on Slashdot: http://books.slashdot.org/story/10/11/15/1346223/Security-Strategy-From-Requirements-To-Reality

Authors: Bill Stackpole, Eric Oksendahl
Pages: 346
Publisher: Auerbach Publications (1 edition, 26 Oct 2010)
ISBN-10: 1439827338
ISBN-13: 978-1439827338


Liquor in the Front - Poker in the Back

Our combined Design / Development / Test departments will continue their headlong plunge towards full speakeasy status this month, with another lock-in featuring discussion of some or other randomly selected Jeff Bridges movie, accompanied by consumption of sundry White Russians. Entertainment is expected to be further enhanced by card games, as our Elevation of Privilege deck nears completion. Like a French Republican, our receptionist scurries as we speak to complete the guillotinings deemed necessary for the improvement of morale...


... and that's that for this, the penultimate digest of 2010.

Monday 15 November 2010

Regex Fuzzing

ReDoS Vulnerabilities

A reader and colleague recently noticed SDL Regex Fuzzer bobbing up and down in this blog's sidebar, and perhaps knowing my association with security and/or regular expressions, asked me a question about it. Ashamed to say, I gave something of a terse, maybe dismissive, answer. In fact I don't even recall exactly what the question was; and the best attempt I can make at a reason or excuse is that at the time, I was en route to my annual review.

I know! And come to think of it, quite why that should have proved so distracting, well now, that escapes me completely. Was I simply too enthusiastic, too keen to reach the grilling room on time? Believe me, no.

So with suitable apologies, let me begin by stating that ReDoS is a meta exploit, almost a new level of sophistication in attack strategy. To explain it properly, we should start with basic, script kiddie, Denial of Service.

Every system's resources are finite, and the more that you succeed in using up, the less there is available to anyone and everyone else. This was my (14yo) thinking when in 1972, I launched my brilliant cyber criminal career, with an attempt to bring down the mainframe servicing our whole school's computing requirements, via the submission of a BASIC Trojan looking a lot like this:
10 GOTO 10
My reasoning was that the computer would be so busy following my instructions, that it would never stop obeying and following my evil program; no other tasks would get a chance to run, and so next week's maths class would be postponed indefinitely.

Of course everyone else in the class tried the same thing, and our efforts were universally frustrated by a Task Scheduling Demon living somewhere in the ICL's shadows. Still, the principle has some merit as an attack strategy, and in one form or another, it lives on today, beyond the mainframe environment. Every server, every website is a zero-sum game; the more of its costly resources (processor time, bandwidth and storage) that you can succeed in having committed to your own code, the less everyone else has available to play with.

Algorithmic Efficiencies

Now, here comes the meta part. Some systems, looking to sanitise their user input data, resort to regular expression (or regex) matching in order to check whether a given prompted input string conforms to the syntax of a well-formed names, address, telephone number, email address, or whatever. But as you'll know if you read my earlier article on regex parsers and non-deterministic finite automata, some implementations of regex matching have their own peculiar weaknesses. "Lazy" implementations can in particular be forced to perform a metric tonne of backtracking, and so can be attacked using certain fixed input strings which take an inordinate time to process.

Now, that in itself is not enough to create an exploitable vulnerability. In addition to that, you need also to find a case where the pattern used by a regex parser to match a given arbitrary line of input, is of a type likely to generate a lot of these backtracking steps. An attacker has to search for such cases by trial and error. This is where a Regex Fuzzer can be deployed to ensure that even a "dodgy" parser (and all commercially available regex parsers are, by the definition explained in the forementioned article, extremely dodgy indeed) can be deployed safely by improving the efficiency of its associated patterns, all without necessarily restricting the range of input strings that it is capable of matching correctly.

Test First

A Regex Fuzzer like the SDL offering keeps the algorithmic implementation constant, lets you vary the target pattern, and then throws systematically randomised input data down its neck. Use it to check your particular patterns for mitigation of the backtracking string vulnerability. Bob's your uncle, Alice your aunt.

In common with all the other SDL tools, the Regex Fuzzer integrates with both the SDL and the MSF-Agile+SDL Process Templates.

Saturday 6 November 2010

The Drummer's Hashpipe

I Made a Movie!

If you ever had a music lesson at school, chances are you'll have been introduced to this little ditty. Ever since Mike Oldfield rounded off the original Tubular Bells with an accelerando rendition, I've included it in every noodling guitar solo I've played - it's really easy to play fast, convincing everyone you're a pretty good guitarist when you're, erm, not. Everyone except those two other guys you happen to know, who actually are good guitarists. Hi Eddie! Neil!

This is a video of (free and open source) MuseScore playing back my arrangement of The Sailor's Hornpipe, captured by CamStudio, with a separate soundtrack added in Windows Live Movie Maker:



Notes are coloured in MuseScore to indicate whether or not they are within the useful range of the selected instruments. Note that almost all of the treble staff is red. These timpani are well out of their depth.

You can see and download the original score at MuseScore's new hosting service here (requires registration using a valid email address):


The Flash player on that site highlights the playing score one bar, rather than one note, at a time.

MuseScore lets you change the instruments associated with each musical staff or grand staff, which means you can work out any unusual harmonies using a clean default sound (such as "Piano"), before converting the result to something completely inappropriate like this. You can even substitute entire "Sound Fonts", containing whole orchestras of sounds, for the default one.

Update: what do you get if you duplicate the entire grand staff, then change the instrument in the copy from "Piano" to "Drumkit"? Just to be clear, each digit is assigned some effectively random instrument of mass percussion (and there are two pea whistles in the bag).

Answer: The Devil's Pot Pipe - another comic rearrangement of the 18th century hornpipe for tortured timpani, this time with added nursery percussion group, and an unhinged parrot:

Neil Gaiman's "The Price"

By The Fans, For The Fans

I've had to keep a close eye on both wife and wallet, since this project recently appeared on Neil Gaiman's website. Although fans can contribute as little as $10, apparently if you contribute $1,000 to Christopher Salmon's Kickstarter project, to turn Neil's brilliant short story The Price into a CG, 2½D, fully scored and author-narrated movie, then one of the goodies you'll bag for that contribution is a genuine Associate Producer credit on the finished work:


Barely managing to span pages 51 to 57 of Neil's Smoke and Mirrors collection, The Price tells the touching and engrossing story of an enigmatic Black Cat, arriving on the porch one summer. Over the days and weeks his fortunes seem to wax and wane, as do those of his adopted family. Then one night, another visitor arrives at the gate...

This is shaping up to be a seriously high quality adaptation, paced lento and considered, as the source requires - and indeed deserves. With the boost of support on the author's blog (Neil has even more readers than me, you know) the project appears now to have every chance of reaching its funding target. I really hope it does. Christopher Salmon appears very talented, original and creative, as well as profoundly committed to his dream. And the work done so far is achingly beautiful, particularly the detail on both the cat, and the author.



Neil's reading is available as a free audio download, links to which are available, both legally and otherwise, from various places. But since one of those places is the "Exclusive Material" section of Smoke and Mirrors, I won't be linking to it here. Update: Neil has now made his narration freely available here (15½ minutes).

Funding updates:

Nov 10: Wow, one third funded and still three weeks to go. Looks even more as if this project will succeed. Oh, and happy 50th today, Neil!
Nov 12: Two fifths funded. Wow again. Yes, I do love me some properly reduced fractions.
Nov 18: Hmm, nine twentieths. Wonder why BoingBoing hasn't given this one a boost yet?
Nov 22: One half. Eight days left.
Nov 23: Fourteen twenty-fifths. Seven days. Oh, and happy 52nd today, me!
Nov 24: Three fifths. Six days
Nov 26: Thirteen twentieths. Four days
Nov 27: Eight elevenths. Three days left. Can't look. Yet must.
Nov 28: Three quarters. 2½ days.
Nov 29: Four fifths. 42hrs. Five sixths. 38 hrs. Seventeen twentieths. 34 hrs.
Nov 30: Nineteen twentieths. 24 hrs. Twenty four twenty fifths. 23 hrs. Thirty five thirty sixths. 21 hrs. One whole. 17 hrs to spare.


Via: GeekDad (Wired).

Monday 1 November 2010

Tweets - October 2010





Sunday 31 October 2010

Hallow Tao

The Hard Root

Hallowe'en is hard,
Hollowing is hard.
There are many turnips --
Which am I to hollow?...

With apologies to Li Po.

Tuesday 26 October 2010

Belts, Braces, Rawlplugs

Fabricating Security

These guys have the right idea: a programming language that won't allow you to write insecure code. That language goes by the handle Fabric, and is currently under development by Cornell University's Applied Programming Languages Group (APLG).

Distributed computing systems comprise many interconnected nodes, and the level of trustworthiness varies across this landscape. The approach taken in Fabric is to attach security policies, by means of type annotations, to every object, and even to blocks of code. An object's policies control what operations may be performed on it, and so how its data can be accessed and changed, as well as by whom. Code policies determine where and when a particular block of code can be run.

As the APLG page puts it, "Fabric provides decentralized yet compositional security." High availability is provided using peer-to-peer replication. The new language is implemented on top of an earlier security-oriented/extended language called Jif ("Java + Information Flow"), itself compiled in Polyglot Java, so it inherits many features crucial for language-based reasoning about security in complex applications (selective, robust downgrading; language-based access control; dynamic labels; dynamic principals). Fabric also adds a guarantee of strong consistency, with the help of a hierarchical, two-phase commit protocol, respecting data security.

Version 0.1.0 of the Fabric prototype is available for download here:


Via: /.

Saturday 23 October 2010

Take The Paper

Technology Fail

See, that's what happens when you let these printer manufacturers rip you off with their wet razor business model. First, their toners and inks become, quite literally, more expensive than gold dust. Meanwhile, the non-consumable part of the deal - the manufacture of the actual printer - has slid so far down the durability slope, that it's achieved parity. Replete with delicate plastic hinges and cogs, precision engineered by the cost-benefit equations of modern quality control, it can now be relied upon to cease functioning, and instead to whirr and roll unproductively, exactly ninety one days after unpacking. Meet the new consumables.



Hat tip: John Scalzi.

Playing Solo

Scoring Your Own

Nothing beats the buzz of playing along with your fellow musicians. Particularly when you've reached the "mindreading" stage, where your individual improvisations overlap, coinciding in point of rhythm and key; it's almost a psychic experience. But for every hour spent together refining and polishing your collaboration, two or three or more have to be spent practising in isolation, discovering and learning new tricks and repertoire, to ensure that you always have something new, interesting and fresh to bring to the next session.

Today's tech can help every amateur gain more from these private studies. Let me take that back, in fact. That was yesterday's tech; today's, well that can turn any toddler into a mixmaster.

So now, as we patiently await the imminent arrival of Pai Mei's ten-point palm exploding heart technique - sorry, I mean, universal ten-finger multi-touch user interface - here are a few of the more interesting music making websites out there. Some are just for fun; others have enough on offer to let you get excited and make things.



Ken Brashear's Virtual Drumkit
http://kenbrashear.com/
Level: drive-by.

Sitting at the resolutely fun/beginner side of our studio, Ken's site features a 15-piece* set of skins and cyms that you can play by either clicking or just moving the mouse over them, or using the keyboard shortcuts.


Fun, certainly, but not too practical without multitouch, and even then, would suffer from too much latency to be really useful.

* I counted the hi-hat as 2 pieces, because well, it does comprise two cymbals, and there are two ways to play it: stick and pedal.



Tony-b Machine 3.0
http://www.tony-b.org/
Level: beginner.

Speaking of just for fun, the Tony-b Machine hits the floor running, with a catchy beat already playing on a stylised laptop. You control the bass, drums, melody, vocals, patterns and accompaniments using various rows of keys, organised in a scheme that's simply far too ludicrously easy to pick up. Just go there. Then click Start.

Within seconds there'll be more musical talent in your little pinkie, that in Simon Cowell's whole genome (if there isn't already). Tweak and mix, cut and add, then once you've become utterly addicted, as you will, explore the online tutorials and forums to learn how to expand, develop, loop, sequence, and publish your clubby little masterpieces.

Seriously, it really is that addictive. You'll see. In fact, why don't you just put down that cup of coffee, Go There Right Now, and click Start (open that link in a new window, so you can follow the instructions below). If bass and melody are already running, locate and press the appropriate keys (4 and 7) to stop them temporarily. Also press A and V if their corresponding keys in the onscreen keyboard are not already down (note: although there is also an AZERTY keyboard alternative UI, this brief tutorial assumes you're a QWERTY type of person). Now start playing:
Drums first. Locate the Q - W - E - R keys and then press them, one at a time, allowing at least a full eight beats to elapse between these.

Now press 5 to bring in the bass. Simmer for 10 seconds and then add a twist of middle melody with 8. That sounds a bit lax, so break it with 9. That's better, now do the same to the bass with 6.

Next add a touch of decoration by cycling the 1 - 2 - 3 keys. Leave a beat or two between these. When you get tired of that press 0 (zero) to cancel this accompaniment.

Now for some advanced stuff! On the bottom two rows of the keyboard, locate the following key pairs: SZ - DX - FC - GV. Now press these pairs, one pair at a time, leaving just two beats between pairs. Experiment with more pairs on these key rows. You're now playing melody and bass, not in unison, but in harmony! Try to hit the keys "early" so the transitions land just where you want them. Press A and V when you're done with that.

Now use the rest of the top row T - Y - U - I - O - P to add some tastefully vocoded lyrics. While you do that, also press 1 or 2 or 3 occasionally to vary the accompaniment.

Finally, wind it down. Press 0 (zero) to stop the accompaniment; 8 and 5 to simplify the melody and bass, followed by 7 and 4 to park them; and last of all, shut down your rhythm section in the reverse order to which you started them, so: R - E - W - Q.
You can hear my version of the above by searching for user name dogbiscuituk, track name Basics. Click the CD icon to access thousands of recordings by hundreds of other artists, and get a feeling for what's achievable. At the time of writing, Italy's Dyablo is the star player, with recordings of Waka Waka, Blue, Barbie Girl and The Final Countdown.

Now, the real challenge is not to do it again!

Below are a few more sites to progress on to, with successively more samples, options, voices, etc., and correspondingly steeper learning gradients.



musicshake
http://eng.musicshake.com/
Level: intermediate.

First order of business here is to click on the Tutorial tab, then Basics in the sidebar, to acquaint yourself, via the medium of video tutorials, with the installation (Windows only) and use of this music creation tool.

Select from a library of over half a million copyright-free music and instrument samples. Record and incorporate your own voice. Use their Music Robot, a proprietary algorithm, to add harmonies. Create songs and ringtones, download as MP3s (note: this is a paid feature), and share on social networks or embed them anywhere with the Musicshake Widget.

Watch out for their scheduled server update-downtime, on Oct 25.



Aviary Music Creator
http://www.aviary.com/
Level: advanced.

Roc is the name of the music creation app in the Aviary suite. Select your instruments from soundbanks containing over 50 different types of guitars, keyboards, percussives and more.

With Aviary we are beginning to get into the area of music creation tools which can support your own compositions, rather than relying almost exclusively upon sample banks. But for actual musicians, as distinct from console ones, even better is available, and it's still free...



MuseScore
http://musescore.org/
Level: professional.

With the sole exception of a beautiful Epiphone Hummingbird, this last one must be my favourite musical plaything. It's a WYSIWYG score editor, a serious compositional tool, using the same input methods as popular commercial offerings like the proprietary Finale and Sibelius; but crucially, now in its third year of independent development, it's still free (yes there is a Donation page on the musescore.org website, but that's just to support the site itself; all coding, documentation and forum support are provided free of charge, by teams of double rainbow-bedecked angels riding on unicorns).

Advanced features include cross-staff beams, automatic left/right note head positioning in chords, slur edit mode, and drum notation. Currently available for Windows, Mac and Linux.

Saturday 16 October 2010

AntiXSS 4.0

Microsoft Anti-Cross Site Scripting Library V4.0...

... has recently been released.

Microsoft's AntiXSS 4.0 is the latest release of an encoding library, built to help developers to protect ASP.NET web-based apps from cross-site scripting attacks. AntiXSS 4.0 uses a so-called "white list" technique, unlike most such encoding libraries; this defines an "allowable" character set, outside of which anything else gets encoded.

Now I hear you shout, "What are some of the most exciting features of the new version?" - and because I aim to please you, here is your appetizer:
  • Medium Trust Support has been provided, by the simple expedient of moving GetSafeHtml() and GetSafeHtmlFragment(), the HTML sanitizing methods which require full trust and unsafe code permissions, into their own separate "HtmlSanitizationLibrary" assembly. Everything else works just fine with medium trust.
  • You can now modify the safe list for HTML/XML encoding, based on the Unicode Code Charts for the languages your app typically expects to encounter in its working day.
  • Support for HTML 4.01 named entities, and for surrogate characters, have beed added.
  • HtmlFormUrlEncode - encodes according to W3C specs for application/x-www-form-urlencoded MIME type.
I hear too that LdapEncode has been split into LdapFilterEncode and LdapDistinguishedNameEncode, which operate according to RFC4515 and RFC2253 respectively; but I have no idea if the guy telling me that was on drugs or something. All I remember is that one used '\' and the other '#'...

As befits such a mission-critical tool, the Library is licensed under an open source licence, namely the Microsoft Public Licence, which can be seen at http://www.microsoft.com/opensource/licenses.mspx. The Source is available on CodePlex.

Diagonal Stripes

Diagonal Stripes
Copyright © 2010 by Heather Marshall

That's the name Little Niece has given to her latest exhibit in the abstract expressionist mould. Philistines that we are, we reckon it's better viewed in landscape, and interpreted as a psychedelic vista of rolling fields. But then again, there are apparently still several Mark Rothko originals in various locations throughout the world, to this day exhibited in this, and other, incorrect orientations. Only the artist ever knows the ultimate truth; and in this case, she's not telling.