Monday, 30 August 2010

Security Digest #12

This month's headlines: an aviation disaster report, and a perfect quantum crypto hack.

Programmer Kills 154 in Air Crash

The Register reports what might be the first ever case of malware contributing directly to the cause of a fatal air crash:
The accident on take-off happened after pilots had abandoned an earlier take-off attempt and a day after two other reported problems on board. If the airlines' central computer was working properly a take-off after three warnings would not have been allowed, thereby averting the tragedy.
On August 20th 2008, a McDonnell Douglas MD-82 aircraft owned by Spanair, on scheduled flight number JK 5022 to Las Palmas, crashed just seconds after taking off from Barajas Airport, Madrid, with 172 people on board. The crash and subsequent fire killed all but 18.

Now it has emerged, according to a report in the Spanish El Pais daily newspaper, that multiple problems with the plane failed to raise any alarm, due to the existence, at the time of the fatal crash, of Trojan infections on the airline's central maintenance computer.

According to the report by independent crash investigators,
The plane took off with flaps and slats retracted, something that should in any case have been picked up by the pilots during pre-flight checks or triggered an internal warning on the plane. Neither happened, with tragic consequences.
(TechNewsDaily report here) The lessons to be drawn from this are surely too obvious to need repeating, and particularly so for anyone working in the intersection of the software and aviation industries (holds up hand).

Quantum Cryptos Pwned

Recent months have seen several commercial quantum encryption systems apparently compromised, although in the related wars of words, grey areas have emerged in questions such as: what levels of error occurrence and detection can be achieved, and what levels should be used for intruder detection.

This report is different. From the University of Science and Technology, Trondheim Norway, via Nature Photonics, comes word of Lars Lydersen and his international team of research colleagues, who have successfully cracked two commercially available quantum crypto systems, Switzerland's ID Quantique, and MagiQ Technologies of Boston Mass., obtaining full disclosure of their quantum encryption keys without detection.

The exploit is a "purely technological" one, which the two companies should have no problem in mitigating. It involves shining a continuous mW laser at
the receiver, rendering it blind to the quantum properties of the incoming data stream, while still receiving and responding correctly to the contained classical data.

However it does raise the question of whether any practical system - in this case, both were quantum key distribution (QKD) implementations - can be designed which does not exhibit such technological deficiencies and vulnerabilities, and just how this could possibly be proved.

XSS Excesses

Casale Media's Julia Casale-Amorim wrote in detail about a well-structured and professional looking "malvertising" attempt made by fake agency BellasInteractive on her display media company.

This is an extensive and incredibly detailed analysis of a sophisticated system of attack that's becoming more common (recent reports here have placed XSS incidents second in frequency only to SQL injections). Chilling to think how many similar exploits run successfully to completion and publication, without being detected until they appear as statistics on a security vendor's annual survey.

That is all.

Friday, 27 August 2010

Yes Harmonix - You Win

Fragile Five Come To Rock Band

Well, of course I knew it would happen eventually, but today they've finally snagged me. The full playlist for Rock Band 3 has just been announced, and in includes the 1971 classic Yes track Roundabout.

Trouble is, I am and have always been a total Yes completist. To the exclusion of anyone else for some years, in fact, until Steven Wilson brought me back to muso-diversity with Porcupine Tree's Deadwing (yet I only heard them when they toured supporting Yes). Of course many of us have bought multiple copies of our favourite artists' albums to replace worn out ones over the years, but the true completist always owns multiple mint copies in various editions of each favourite work, and like a master of Pokémon, has to collect them all. I've written here before about my old trading website and its extensive collection of bootleg Yes concerts, but I also bought things like the 5.1 DVDA remix of Fragile (see below) immediately on release, even though I had no facility to play it, nor any immediate intention of acquiring one.

I am delighted beyond the capacity of any delightometer to register and measure, that the Yes track chosen to pop their Rock Band cherry was not their only ever number one hit, Odour Of A Homely Fart, but instead the magnificent Roundabout. From the equally groundbreaking, trailblazing, genre defining and otherwise utterly, uniquely object-verbing Fragile album (which alone in their back catalog features the perfect lineup of Anderson, Bruford, Howe, Squire and Wakeman, inevitably known to fans as "The Fragile Five"), this is a composition that marries classical sensibilities of structure, melody and progression, with perfect jangly pop singalongability and an optimistic though typically abstract lyric. Which just happens to contain coded references to driving along the banks of Loch Lomond. In an altered mental state, yeah.

Yes Harmonics

The track is also a favourite with new guitarists because of Steve Howe's use of open-string harmonics in the introduction. I wonder how those will be handled in the execution of the game version? And will it be the full 8½ minute version? And what about those rapid keyboard arpeggios? They're trying to flog the keyboard peripheral, hence the choice of music, but (on the other hand, as it were) you shouldn't have to be Rick Bloody Wakeman to play it! So expect some simplification there too.

The full list of 83 tracks announced for Rock Band 3 makes an impressive arc, spanning rock and pop from the 1960s to the 2000s. Here are my top eleven choices:
  • Avenged Sevenfold, The Beast & the Harlot
  • The B-52's, Rock Lobster
  • Big Country, In a Big Country
  • The Cure, Just Like Heaven
  • Echo & the Bunnymen, The Killing Moon
  • The Flaming Lips, Yoshimi Battles the Pink Robots Pt. 1
  • John Lennon, Imagine
  • Queens of the Stone Age, No One Knows
  • The Smiths, Stop Me if You Think You've Heard This One Before
  • Them Crooked Vultures, Dead End Friends
  • Yes, Roundabout
Then of course there's another tranche of hits that just seem to fit the format so perfectly, it's hard to imagine not giving them a go after a small sherry:
  • David Bowie, Space Oddity
  • Deep Purple, Smoke on the Water
  • Elton John, Saturday Night's Alright for Fighting
  • Golden Earring, Radar Love
  • INXS, Need You Tonight
  • Lynyrd Skynyrd, Free Bird
  • Queen, Bohemian Rhapsody
  • Ramones, I Wanna Be Sedated
  • Slipknot, Before I Forget
  • Steve Miller Band, Fly Like an Eagle
  • T. Rex, 20th Century Boy
So now, sadly, I must have Rock Band 3. And all of the peripherals that can be used on the Yes track. It's out in October. Not too long before my birthday. Linda! Linda? Come back here! Santa? Anyone?

Monday, 23 August 2010

O God, O New Scientist!

Schrödinger's Cat Observed

New Scientist magazine, in the printed, dead-tree edition, has a regular snarky page which lovingly details the copious nonsense and hilarious mistakes often reported in the press under the guise of some or other scientific principle or theory.

Sometimes though, I have to despair for the journalistic and editorial standards of New Scientist itself. As for instance in the current issue, where a moderately interesting article on foundational research in quantum physics offers examples of "physical predictions that are confirmed time and time again by experiment".

The third of these examples: "cats that remain suspended between life and death as long as we don't look at them".

LOL... I had no idea that one had been directly verified, in experiments using actual cats!

Photo credit: Creative Commons Attribution-Share Alike 3.0 Unported.
Title credit: Psalm of Montreal, Samuel Butler, 1878.

Friday, 20 August 2010

Naked Physics

Update: I just checked Google Analytics, and this here entry had 38 (discrete!) hits yesterday. It also happens to be linked from my comment to Raymond's article, which is, you guessed it, comment number 39. I've always said: blogs are the world's first write-only medium.

The Old New Thing's Raymond Chen threw down the gauntlet this week, challenging any and all comers to come up with a real-world, actually-happened, physics-related pun, even more lame than his own prize sample. To give you an idea of the level of competition involved, his example involved meeting two colleagues named "Paul" in the works kitchen, allowing him to quip "Oh no, is this legal? I think it's a violation of the Paul Exclusion Principle."

Beat that for lame, eh? Easy.

I attended the Summer School for an Open University physics - sorry, natural philosophy - course some years (ok, decades) ago. It was held at the University of Sussex, near beautiful Brighton, sunny Sussex by the sea. At that time, the area was famous for hosting the one and only nudist beach in Britain. So on the evening of the first day, a group of us decided to grab our Kodak Instamatic 126es, and go for an off-campus drive (I was easily led). Just to see what we could see...

Never mind what we saw, that's completely irrelevant! We saw the sea. The point is that we made good our "escape", without getting arrested (nor forced to strip).

When we arrived back at the halls of residence, we encountered one of the physics - sorry, natural philosophy - tutors, whom we recognised from earlier in the day. At that time, he'd been telling us about energy levels in the atom, which can either be spaced a quantum apart (discrete), or else overlap (degenerate). We now offered to buy him a drink at the students' bar, and in the course of subsequent conversation, he happened to ask where we'd been earlier in the evening.

We told him we'd gone looking for the nudist beach, but we reckoned we'd managed to get away again without anyone spotting us.

"I see," he said thoughtfully, "you guys are quite degenerate. And yet quite discrete."

Disclaimer: parts of this story are true.
Bonus material: We also have two Pauls in our office. Fortunately they have opposing values of spin.

Thursday, 12 August 2010

Have Some Malware!

You Might Not Want To Do This...

People in the RSS feed won't have seen Jesse Collins's eicar reminder float gently past in the sidebar this week, so here's the skinny. If you copy and paste the following line of text into Notepad, and then save it (either as text, or as a quaint in-memory image ".com" file; surprisingly it does double duty as perfectly executable x86 code), then your antivirus software will throw a hissy fit:

That's because it thinks it's found a virus! But what it's actually found is an industry standard fingerprint, recognised by all AV providers as a test pattern. Quite a useful test, it lets you check that your disks are in fact being scanned as advertised.

...And Why Not?

So if it's not an actual virus, just a harmless test pattern, then why exactly might you not want to do this?

Well, precisely because your anti-malware will (hopefully!) quarantine, and otherwise restrict your permissions to interact with, this new file. All of which can make it rather difficult to remove it from your disk - unless your AV solution steps up, as Kaspersky does above, with a Delete option.

You're welcome.

More Big Numbers

Millions and !!Billion!!s

There's been a bit of comment in recent months about the use of million and billion in the media, particularly with all the bank and big business bailouts that have occurred, and the apparently insatiable appetites of their fat cat executives for telephone number bonuses. And yet, just as truth is the first casualty in any conflict, so perspective is rarely allowed to stand in the way of popular journalism.

As is often the case, Randall Munroe's XKCD nailed it best (click through for the full strip and punchline):

But I'm particularly fond of the way newsreaders and politicians, in mitigation of the above, invariably explode the word "billion" at us, almost as if it begins and ends with double exclamation marks. There seems always to be a multiply exaggerated pause in the middle of the discourse, while they build up the head of steam they judge necessary to shock us out of our reverie, wherein we would otherwise have been certain to have misheard them say merely "million". Then all of a sudden, there's that precisely timed unleashing of - what can only be described as - a bomb of high pressure air, spit, and thunder: !!Billion!!


Speaking of billions, I was shocked - shocked I tell you! - on attending my first local [programming language name redacted] users' group those years ago. For some well forgotten reason, the question arose of assigning a unique IP address to each and every one of the "four point something billion" people who happened to be on the planet that day. Did anyone have any idea if IPv4 would suffice? Rhubarb ran around the room.

What's shocking about that? Well, trouble is, the industry was just then at the midpoint of its 32-bit processor "plateau", which had been heralded by the Intel 80386 processor, and so everything was encoded into 32 bits. Now if there's one arithmetical thing more important than multiplication tables to a software engineer, it's her powers of two. Each of the first sixteen is an old friend, the next sixteen are at least familiars, and the last and most important of these, two to the power of thirty-two, is famously around four billion and something. I think it may be a wisdom that's passed on through mother's milk. Remember that old lullaby?
♫ Forty-two, ninety-four, ninety-six; ♫
♫ Seventy-two, ninety-six. ♫
Anyway, I sat there in complete and utter disbelief, chin on floor. In a room full of the very people - software developers of the 32-bit era - most likely to know the answer to this one very specific question, "Can a 32-bit number represent four billion?" To be fair, I don't know how many others were similarly appalled, but I'd certainly like to think it was most of us.

Update, related: Five billionth device about to plug into Internet.

Miles And Miles From Watford

Back again to editorial perspective, and a Telegraph article on the latest Hubble eye candy, NASA's "stunning" new image of a spiral galaxy, places it "trillions of miles from earth". This attempt at an indication fails abysmally, by some nine orders of magnitude, or in other words, by a factor of a billion. The object in question is in fact almost two sextillion miles afar.

It's a significant and most unfortunate failure, in the entire history of the concise and accurate conveyancing of scientific facts. And yet all of the information that would have been needed to improve upon it, why that's already present in the body of the article.

One light year is about 6 trillion miles, and our sun's nearest stellar neighbour, Proxima Centauri, is more than 4 light years distant. So anything at all outside of the solar system is quite literally "trillions of miles from earth". Including, of course, every other single, double and multiple star in our Milky Way galaxy.

But most objects are not in our galaxy, nor anywhere near it. The island universe in question is the very beautiful (and incorrectly reported as "edge-on") spiral NGC-4911 in the Coma cluster. Its distance from ""earth", and indeed from everything else that's in our galaxy and visible in the night sky, is about 320 million light years. That's what I call almost two sextillion miles.

Perhaps the Telegraph article could have read "billions of trillions"? As it stands, it might almost as accurately and meaningfully have said "hundreds of miles from Britain." Either way, it looks like the writer knew what he was talking about, and his editor made him look foolish. Oh well, never mind, thanks for the NASA picture anyway.

Yes, it is a beautiful galaxy. I wonder what its inhabitants think of ours?

Update: here is a pretty good picture (actually more of a photo essay) of a quadrillion.

Wednesday, 11 August 2010

The Last Find

The Science Blog, as we know that format today, was invented by John Carlos Baez on January 19th 1993, with the first edition of This Week's Finds in Mathematical Physics. And just this very today, an era was brought to an end with the 300th and final edition of that resolutely Web 1.0 bulletin.

Having so recently celebrated the first birthday of this little blog, it's quite sad to have to turn now to an obituary for the demise of a personal favourite. Issue #300 ended quite happily on a high, illustrating for us how to categorify the Riemann zeta function, whilst visiting "lots of our old friends one last time: the number 24, string theory, zeta functions, torsors, Joyal's theory of species, groupoidification, and more."

More indeed. John will continue to contribute at the math, physics and philosophy group research blog The n-Category Café, and the collaborative category theory rich Wiki-lab nLab. His new blog Azimuth will cover diverse subjects: "from math to physics to earth science, biology, computer science, economics, and the technologies of today and tomorrow – but in general, centered around the theme of what scientists can do to help save the planet."

Go, John! But whatever else you may do in the future, to me you will always be the best guy to explain the relationship between the hypercomplex numbers of the four normed division algebras (real, complex, quaternion and octonion); Bott periodicity; and the exceptional Lie groups. The guy who came to my home town, two Septembers ago, to present the Rankin Lectures at Glasgow University, and to talk about his favourite numbers - which happened to be 5, 8, and 24. Obviously.

And as much as I know that I'll thoroughly enjoy following the upcoming Azimuth content, I also know that I will forever miss the crusty old serifs of This Week's Finds. Au revoir, mon vieil ami!

Photograph of John Baez by Lee Smolin.

Wednesday, 4 August 2010

Security Digest #11

This month: Black Hat, leaky phones, scary botnets...

UK-Specific Zeus 2.0 Botnet

Frustrating it may be, in addition to providing all of my other security details, to have to remember a long customer reference code each time I visit the site; nevertheless, I can honestly say I've never been tempted to automate my online banking login with a GreaseMonkey script. And today, upon reading the comments of Rapport supplier Trusteer's CEO Mickey Boodaei and CTO Amit Klein, on the discovery of a pure "very focused" Zeus 2.0 Botnet, 100,000-PC strong, specifically targeted at UK banks and the private data of their customers, I'm quite glad that for once, I have managed to keep the lid on a particular source of curiosity.

Going beyond the usual haul of user IDs and passwords, this particular bundle of fun snags client-side resources such as your certificates and cookies (including those of social networking sites), harvesting these for banking site login information, credit and debit card details, bank statements, FTP credentials, and sundry personal data, such as your date of birth, workplace and job, which might be used as a basis for security questions.

With its friendly and readily searchable "Google-like" front end, this was the first pure example of the emerging Zeus 2.0 to be found "in the wild"; but apparently there are others around, too. One rather important fact to keep in mind is that "Zbot" often changes its form or "fingerprint" in order to avoid detection by your anti-malware.

2G GSM Broken, Pope Catholic

The DefCon® hackers' meet (Las Vegas, July 30 - August 1) provided a number of high profile scoops, some preannounced, some out of the blue black. Judged most newspaper-worthy was Chris Paget's $1500 GSM cellular network base station spoof, which allows anyone with an interest to intercept and eavesdrop on 2G conversations. The mechanics of the trick were already well known:
  • Set up your base station with a good strong signal. Advertise it as belonging to a compatible operator.
  • When a handset is enticed to connect to you, connect to the real network. Begin relaying authentication tokens transparently.
  • Handset authenticates with network, which does not reciprocate (a known 2G vulnerability).
  • Network tells handset not to encrypt (e.g. because strong encryption is disallowed in your country).
  • Handset complies without displaying the mandated warning, because manufacturer has deemed this too annoying.
The real story is that a well-known vulnerability gets somewhat cheaper to exploit each year, but that 3G tech, particularly when applied at 2G frequencies to mitigate against the blocking vector, will soon put paid to its shenanigans.

Wiretap Kiddies & Black Hat Redux

Poor beleaguered old GSM was also a big target of attack at the Black Hat® Technical Security Conference briefings earlier in the week (also in Las Vegas, July 28-29). Visit Dan Goodin at The Register, to hear about "a comprehensive set of tools" aimed at eavesdropping even on encrypted calls over GSM networks.

Famous DVD-CSS cracker Frank A. Stevenson from Oslo developed one of these tools: Kraken, which attacks GSM's A5/1 algorithm using a 1.7TB lorryload of rainbow tables. According to the project's cryptographer Karsten Nohl (of Security Research Labs, Berlin), GSM hacking has reached the level that Wi-Fi hacking reached a couple years ago: script-kiddies cracking their neighbor's Wi-Fi, and forcing the widespread adoption of WPA/TKIP over WEP.

Black Hat was a furiously busy time for Microsoft's SDL team. Bryan Sullivan presented a hot topic talk on Cryptographic Agility, or the ability to inject alternative cryptographic algorithms or implementations into apps without source code changes. Adam Shostack reprised his brilliantly conceived card game, “Elevation of Privilege: The Easy Way to Threat Model.” Finally there was also a multiple SDL presence at (SAFECode's) Grant Bugher's brainstorming panel, gathering "vision and approaches on improving software assurance" from the security community; the results of which should be up on the SAFECode blog any day now... oh, here's an SD Times article on it.

Please remember: don't have nightmares, do sleep well.

Sunday, 1 August 2010

Tweets - July 2010