Tuesday, 30 November 2010

Strangely Reassuring

Update (Dec 13): Bonus Material - On Ledes

When Warren Ellis saw the New Scientist article Mystery 'dark flow' extends towards edge of universe, he reacted to its opening sentence, "Something big is out there beyond the visible edge of our universe", with the immortal and appreciative "Now that’s how to write a fucking lede."

Now in his Lede Of The Day, he makes his own contribution to the Plain English Lede society, in his reaction to the somewhat conservatively stated arXiv article, First Observational Tests of Eternal Inflation:
Let me translate this lede from arXiv for you.
Evidence that our universe has been struck by four other universes.
I hear the faint rustlings of a new meme... following the Chuck Norris template. Compare:
  • When Chuck Norris crosses the road, the traffic looks both ways.
  • Superfluous adjectives, particularly colours, avoid Warren Ellis.

Tuesday, 23 November 2010


Brash Triple Bass, Brass & Bash

One evening last week, I was visited in succession by a brace of bassmen (a double bassist, and this guy with a Fender Precision), three brass players (baritone, Eb alto and Bb cornet), Sir Patrick Moore and his brand new vibraphone, a monocymbalic percussionist, and the bongo-bedecked ghost of Richard Feynman. I had to work quite fast to keep them all entertained, tossing off this three minute accompaniment to an imagined 70s cop series:

"Ravish" by John M. Kerr.
Creative Commons Licence: Attribution-Noncommercial-Share Alike 3.0 Unported

Like my earlier Drummer's Hashpipe, Ravish started out as a bass guitar exercise. But rather than demonstrating how to build a "walking" bass figure, this time the goal was speed and accurate fingering. When the open E minor pattern is mastered, it can be transposed up a tone for a bit more of a challenge. The technical bass focus does mean that headphone listening is recommended over speakers. Srsly, the cans.

Tuesday, 16 November 2010

Security Digest #14

Just a few brief updates to get through this month, here we go...

The Ultimate Stuxnet Update

It was designed, according to Wired's Kim Zetter, to very subtly and specifically sabotage - without noticeably breaking - the very high speed centrifuges used almost exclusively in Uranium enrichment. And even then, only at plants equipped with 33 or more frequency converter drives. Of a particular kind made by either Teheran's Fararo Paya, or Finland's Vacon. The specific attack pattern also depends upon the distribution, i.e. the relative abundancies, of Iranian and Finnish converters, with the majority deciding the type of attack.

Stuxnet infections began in January 2009. Six months later the Iranian facility at Nanatz suffered a serious incident, disclosed via Wikileaks. Around that time, one sixth of the country's almost five thousand operational centrifuges were inexplicably shut down.

Malware Defeated - Golden Age Arriving

Just kidding. Actually Imperva's annual report "Security Trends for 2011", just published, predicts an increase next year in state-sponsored attacks like the one described above, together with similar increases in Man-in-the-Browser (MitB) Attacks, mobile malware, and consolidation of the "hacking industry".

Also predicted are greater transparency in the security arena; increased emphasis on social network privacy and security (Facebook are you listening); cloud-based data security technologies; information security as a business process; and a convergence of both security and privacy regulation.

Full Imperva report (requires registration): https://www.imperva.com/lg/lgw.asp?pid=425

Security Strategy: From Requirements to Reality (book review)

Not my review this time, but security book writer and serial reviewer Ben Rothke appears very impressed by Bill Stackpole and Eric Oksendahl's "incredibly important and valuable new book", rating it 10/10, and labelling it "One of the best information security books of the last few years."

Vital statistics: the book comprises two main sections: Strategy (chapters 1-6), explaining a high-level overview of strategy, then going on to strategic planning; and Tactics (chapters 7-14), where specific objectives are achieved through procedures and sets of actions.

And here's the quote from Ben that I'm hoping will tease out of my employer a £50 budget for my own copy:

Those who are serious about information security will ensure this is on their reading list, and that of everyone in their organization tasked with information security.

Read Ben's full review on Slashdot: http://books.slashdot.org/story/10/11/15/1346223/Security-Strategy-From-Requirements-To-Reality

Authors: Bill Stackpole, Eric Oksendahl
Pages: 346
Publisher: Auerbach Publications (1 edition, 26 Oct 2010)
ISBN-10: 1439827338
ISBN-13: 978-1439827338

Liquor in the Front - Poker in the Back

Our combined Design / Development / Test departments will continue their headlong plunge towards full speakeasy status this month, with another lock-in featuring discussion of some or other randomly selected Jeff Bridges movie, accompanied by consumption of sundry White Russians. Entertainment is expected to be further enhanced by card games, as our Elevation of Privilege deck nears completion. Like a French Republican, our receptionist scurries as we speak to complete the guillotinings deemed necessary for the improvement of morale...

... and that's that for this, the penultimate digest of 2010.

Monday, 15 November 2010

Regex Fuzzing

ReDoS Vulnerabilities

A reader and colleague recently noticed SDL Regex Fuzzer bobbing up and down in this blog's sidebar, and perhaps knowing my association with security and/or regular expressions, asked me a question about it. Ashamed to say, I gave something of a terse, maybe dismissive, answer. In fact I don't even recall exactly what the question was; and the best attempt I can make at a reason or excuse is that at the time, I was en route to my annual review.

I know! And come to think of it, quite why that should have proved so distracting, well now, that escapes me completely. Was I simply too enthusiastic, too keen to reach the grilling room on time? Believe me, no.

So with suitable apologies, let me begin by stating that ReDoS is a meta exploit, almost a new level of sophistication in attack strategy. To explain it properly, we should start with basic, script kiddie, Denial of Service.

Every system's resources are finite, and the more that you succeed in using up, the less there is available to anyone and everyone else. This was my (14yo) thinking when in 1972, I launched my brilliant cyber criminal career, with an attempt to bring down the mainframe servicing our whole school's computing requirements, via the submission of a BASIC Trojan looking a lot like this:
10 GOTO 10
My reasoning was that the computer would be so busy following my instructions, that it would never stop obeying and following my evil program; no other tasks would get a chance to run, and so next week's maths class would be postponed indefinitely.

Of course everyone else in the class tried the same thing, and our efforts were universally frustrated by a Task Scheduling Demon living somewhere in the ICL's shadows. Still, the principle has some merit as an attack strategy, and in one form or another, it lives on today, beyond the mainframe environment. Every server, every website is a zero-sum game; the more of its costly resources (processor time, bandwidth and storage) that you can succeed in having committed to your own code, the less everyone else has available to play with.

Algorithmic Efficiencies

Now, here comes the meta part. Some systems, looking to sanitise their user input data, resort to regular expression (or regex) matching in order to check whether a given prompted input string conforms to the syntax of a well-formed names, address, telephone number, email address, or whatever. But as you'll know if you read my earlier article on regex parsers and non-deterministic finite automata, some implementations of regex matching have their own peculiar weaknesses. "Lazy" implementations can in particular be forced to perform a metric tonne of backtracking, and so can be attacked using certain fixed input strings which take an inordinate time to process.

Now, that in itself is not enough to create an exploitable vulnerability. In addition to that, you need also to find a case where the pattern used by a regex parser to match a given arbitrary line of input, is of a type likely to generate a lot of these backtracking steps. An attacker has to search for such cases by trial and error. This is where a Regex Fuzzer can be deployed to ensure that even a "dodgy" parser (and all commercially available regex parsers are, by the definition explained in the forementioned article, extremely dodgy indeed) can be deployed safely by improving the efficiency of its associated patterns, all without necessarily restricting the range of input strings that it is capable of matching correctly.

Test First

A Regex Fuzzer like the SDL offering keeps the algorithmic implementation constant, lets you vary the target pattern, and then throws systematically randomised input data down its neck. Use it to check your particular patterns for mitigation of the backtracking string vulnerability. Bob's your uncle, Alice your aunt.

In common with all the other SDL tools, the Regex Fuzzer integrates with both the SDL and the MSF-Agile+SDL Process Templates.

Saturday, 6 November 2010

The Drummer's Hashpipe

I Made a Movie!

If you ever had a music lesson at school, chances are you'll have been introduced to this little ditty. Ever since Mike Oldfield rounded off the original Tubular Bells with an accelerando rendition, I've included it in every noodling guitar solo I've played - it's really easy to play fast, convincing everyone you're a pretty good guitarist when you're, erm, not. Everyone except those two other guys you happen to know, who actually are good guitarists. Hi Eddie! Neil!

This is a video of (free and open source) MuseScore playing back my arrangement of The Sailor's Hornpipe, captured by CamStudio, with a separate soundtrack added in Windows Live Movie Maker:

Notes are coloured in MuseScore to indicate whether or not they are within the useful range of the selected instruments. Note that almost all of the treble staff is red. These timpani are well out of their depth.

You can see and download the original score at MuseScore's new hosting service here (requires registration using a valid email address):

The Flash player on that site highlights the playing score one bar, rather than one note, at a time.

MuseScore lets you change the instruments associated with each musical staff or grand staff, which means you can work out any unusual harmonies using a clean default sound (such as "Piano"), before converting the result to something completely inappropriate like this. You can even substitute entire "Sound Fonts", containing whole orchestras of sounds, for the default one.

Update: what do you get if you duplicate the entire grand staff, then change the instrument in the copy from "Piano" to "Drumkit"? Just to be clear, each digit is assigned some effectively random instrument of mass percussion (and there are two pea whistles in the bag).

Answer: The Devil's Pot Pipe - another comic rearrangement of the 18th century hornpipe for tortured timpani, this time with added nursery percussion group, and an unhinged parrot:

Neil Gaiman's "The Price"

By The Fans, For The Fans

I've had to keep a close eye on both wife and wallet, since this project recently appeared on Neil Gaiman's website. Although fans can contribute as little as $10, apparently if you contribute $1,000 to Christopher Salmon's Kickstarter project, to turn Neil's brilliant short story The Price into a CG, 2½D, fully scored and author-narrated movie, then one of the goodies you'll bag for that contribution is a genuine Associate Producer credit on the finished work:

Barely managing to span pages 51 to 57 of Neil's Smoke and Mirrors collection, The Price tells the touching and engrossing story of an enigmatic Black Cat, arriving on the porch one summer. Over the days and weeks his fortunes seem to wax and wane, as do those of his adopted family. Then one night, another visitor arrives at the gate...

This is shaping up to be a seriously high quality adaptation, paced lento and considered, as the source requires - and indeed deserves. With the boost of support on the author's blog (Neil has even more readers than me, you know) the project appears now to have every chance of reaching its funding target. I really hope it does. Christopher Salmon appears very talented, original and creative, as well as profoundly committed to his dream. And the work done so far is achingly beautiful, particularly the detail on both the cat, and the author.

Neil's reading is available as a free audio download, links to which are available, both legally and otherwise, from various places. But since one of those places is the "Exclusive Material" section of Smoke and Mirrors, I won't be linking to it here. Update: Neil has now made his narration freely available here (15½ minutes).

Funding updates:

Nov 10: Wow, one third funded and still three weeks to go. Looks even more as if this project will succeed. Oh, and happy 50th today, Neil!
Nov 12: Two fifths funded. Wow again. Yes, I do love me some properly reduced fractions.
Nov 18: Hmm, nine twentieths. Wonder why BoingBoing hasn't given this one a boost yet?
Nov 22: One half. Eight days left.
Nov 23: Fourteen twenty-fifths. Seven days. Oh, and happy 52nd today, me!
Nov 24: Three fifths. Six days
Nov 26: Thirteen twentieths. Four days
Nov 27: Eight elevenths. Three days left. Can't look. Yet must.
Nov 28: Three quarters. 2½ days.
Nov 29: Four fifths. 42hrs. Five sixths. 38 hrs. Seventeen twentieths. 34 hrs.
Nov 30: Nineteen twentieths. 24 hrs. Twenty four twenty fifths. 23 hrs. Thirty five thirty sixths. 21 hrs. One whole. 17 hrs to spare.

Via: GeekDad (Wired).

Monday, 1 November 2010

Tweets - October 2010