Thursday 29 July 2010

A Fabulous Coding Adventure

Contains No Spoilers

I've said it before; my favourite tech blog is Eric Lippert's Fabulous Adventures In Coding. There's simply no-one else out there bringing such regular, reliably lucid exposition of matters algorithmic, to the community of C# developers.

Today, however, Eric surpasses even himself, with the fifth and final piece in his (prerecorded) series ostensibly about functional techniques, and the mathematical process of graph colouring. Before going in to detail about it, let me just point to some of Eric's previous "greatest hits", as listed in this post from Jeff Atwood's Coding Horror, including the highly authoritative four-part series on security and encryption: You Want Salt With That? Eric is also probably the best person in the world to explain concepts like Idempotence and Orthogonality for you, whenever you need that done.

Drawing and Colouring In

Okay, back to today's adventure. Part One starts out innocuously enough, with the stated aim of using "a fairly straightforward problem" - map colouring - to investigate the applicability and the utility of certain techniques from the field of functional programming. Specifically, the interplay between imperative loops and declarative LINQ queries, and possible roles for immutable data structures. Here, Eric sticks to the stated program: weighing up the pros and cons of each design decision; enumerating, explaining and evaluating the many trade offs encountered. Ending with a well-considered data structure design, this opening article already marks the series as a classic, with the sheer width of his design considerations, and depth of their exposition. For example:
The class is internal, not public. I want this to be an implementation detail of my application, not a part of a general-purpose library. As we'll see, this decision has an effect on other implementation choices. (Tradeoff: again, potential code reuse by others vs increased design and maintenance costs)
(Eric always uses the purple crayon.) Part Two continues by applying the same highly detailed approach to complete the data structure design. Part Three, also continuing with the same cost-benefit analysis approach at each stage, presents the basic backtracking algorithm; weighs the expository power of recursion, against the performance benefits of eliminating it; and best of all, shows clearly the benefits of going with immutability in the data structure design, given that backtracking algorithm.

Just a Minute... Just a Minute...

Part Four tests the resultant solution on a map of South America. But then it takes an unexpected turn into a thinly disguised topological realm, where non-planar and non-global maps are considered. What's happening now? The solution turns out to be equally applicable to a toroidal world (think: Asteroids!) where seven regions are each connected to every other. Eric leaves us with the threat of more "particularly interesting graphs" with "lots of fully connected subsets" next time.

But next time, we'll find we're not in Kansas any more. We're on neither plane, nor sphere, nor torus. We're in a world of 16 countries. No wait, 81 countries. All fully edge-connected in little uniform alliances. We're in ... some kind of ... puzzle. Has anybody seen Part Five?

Happy Birthday To Me

♫ Good Morning To All ♫

Today marks the end of this little blog's first orbit around the sun. It was born shortly after my manager showed me this MSDN article, titled Security Briefs: A Conversation About Threat Modeling:


Written as a play, the piece is actually an "amalgam" of various computer security related conversations that its author Michael Howard, one of Microsoft's Principal Security Program Managers, has had with (non security specialist) software developers over many years.

The article struck me as interesting, easy on the eye and brain, even a little amusing. We agreed it might be possible to use such a light hearted approach to help and encourage the introduction of the subject of computer security into everyday conversation at work. Or if you'll forgive a brief overstatement: to use humour as a tool, to introduce Microsoft's Security Development Lifecycle (SDL) into our company, by the medium of blog.

Taking a cue from Raymond Chen's pattern of alternating technical and more personal, nontechnical items, my initial target was to produce about 8 articles in total each month, half of these technical, and half not. Further, the technical ones would be split into half security-related, and half not. Well, one year later I can honestly say that I've continued to hit this target reliably every month. That's a total of eleven months, including the 62-day annual marathon that is Decembuary...

Every article is written for an audience of one. The security stories are for my manager: my first, and still my most faithful, RSS subscriber. By extension, they're also intended for colleagues in Development and related areas. The remaining technical articles might be the result of a particular question or conversation I've had with someone, and that person becomes the perceived audience. Finally, the nontechnical stuff, being literally whatever is on my mind at any given moment, has an intended readership that is effectively random.

Has the experiment succeeded? Well, I do get comments about certain articles, and frequently enough to encourage me to keep going; but to be honest, the technical items appear to get least attention, and the security related items, least of all. Still, that suggests that if nothing else, some colleagues are being drawn to read the blog in the first place, and so are perhaps being brought a little closer to those security related stories than they might otherwise have been. And in any case, it is still an ongoing experiment...

Also, some work has been done towards consolidating a set of security coding standards, guidelines, best practices and related patterns, together with proposals for threat modelling, all based on the introduction of a Security Development Lifecycle into our company. These deliverables have come out of the research required for past, security-related blog articles, so in that sense, the experiment might be regarded as successful; at least, once these proposals are in a form suitable for internal publication.

And that's really all there is to say about that. In closing, here's an appropriately nostalgic link to the original, introductory article:




Happy birthday, little bloggie.

Wednesday 28 July 2010

The Artichoke of Attack

They Shallot Pass

Onion, that steadfast, reliable, archetypal model of network security, was reportedly receiving therapy today, having broken down in tears after this stinging and allegedly unprovoked attack by Cisco network consulting engineer Kurt Grutzmacher: "You used to hear about hackers having to peel away at the network’s onion layers, but in the borderless environment, that analogy does not apply."

"We gave service for years, decades even, to modelling the typical network's defences against threats and vulnerabilities" said a tearful Onion, in an apparent reference to its ofttimes colleague, Wild Leek. "Suddenly Cisco's mid-year security report comes out, and this guy's all like, It's not onions any more, it's more of an artichoke. I mean, WTF? So we're being replaced... by a fucking thistle?"


A representative from the pair's legal firm, Scallions Garlic and Chives, was later quoted as saying "We are naturally disappointed by Cisco's decision. We have many members, far more capable of representing attack surfaces in this new, so-called borderless environment. This could all have been better handled without going outside the family. The new Artichoke guy, sure he sounds tough, but underneath it all, he's not that hard. We call him Cisco's Thistle. But he ain't even got no sting."

In other news, ogres are expected to continue to have layers; donkeys, not so much.

Book Review: Security Patterns

Integrating Security and Systems Engineering

From the excellent Wiley series in Software Design Patterns comes an impressively ambitious tome, claiming to cover "real-world knowledge and experience from international security experts." It uses the hugely successful paradigm of design patterns, an approach to provision of vocabulary and communication between software professionals, which has become the norm in recent years.

Like all the best software design patterns books, this one sports a handful of authors (in this case a gang of five), acting both as expert contributors in their own right, and also as editors / leaders of a much larger team of contributors (in this case 21). Such a spread of expertise and experience is understandably necessary, given the ambitious scope of this book.

Also in the tradition of the best patterns books, we find the articles categorised into functional groups. In particular, after five satisfyingly brief chapters of introduction, chapters 6 through 13 deal with the subfields of Risk, Authentication, Access Control, System Access, OS Access, Audits, Firewalls and Intetnet Apps, each of which can be studied almost independently of the others (though there are some cross references). The volume is rounded off with a substantial case study (IP Telephony) and finally some remarks on Antipatterns and Misuse Cases.

Within the main sequence of pattern-related chapters, adherence to a stencil or template aids digestion, as with the original Go4 book. In all, 46 instances are delivered. Each has a name, with possible alternative AKAs, and includes sections titled Example, Context, Problem, Solution, Dynamics, Implementation, Example Resolved, Variants, Known Uses and Consequences. Additional sections e.g. Structure are added as appropriate in the context of the individual pattern or family.

Examples are particularly well handled, and comprise an (inevitable, but) excellent compromise between the complexities of real life scenarios, and the conflicting constraints of abstraction and teachability.

Overall, the patterns approach works particularly well. Which is unsurprising; after all, it was originally applied with unprecedented success to the field of software design generally. But then, most software bugs are security bugs, in the sense that they expose something to the user that was not intended to be revealed by the developers. There is therefore a sizable intersection in the Venn Diagram of Software v Security, where the applicability of any given approach transfers seamlessly.

The scope of the book is enormous, extending often outwith the limits of software and IT. And just like the huge subject of security itself, the book is a part of its own ecosystem, rooted at its main website www.securitypatterns.org, and with an active forum at its (members only) Yahoo! Group, http://tech.groups.yahoo.com/group/securitypatterns/.

One reviewer at Amazon.com says, "this isn't a book you'd sit down and read from cover to cover"; but I'd respectfully disagree. It is exactly the kind of book readily consumed in that way by anyone appreciative of the patterns structure and approach - and, of course, with an accompanying interest in security.

Security Patterns: Integrating Security and Systems Engineering
Wiley Software Patterns Series [Hardcover]
Authors: Frank Buschmann, Eduardo Fernandez-Buglioni, Duane Hybertson, Peter Sommerlad, Markus Schumacher.
2006
ISBN-10: 0470858842
ISBN-13: 978-0470858844

Tuesday 27 July 2010

Two Colours Red

It can get a little confusing when two of your favourite artists have movies coming out simultaneously, and both movies are called RED:



Above: Felicia Day's RED movie. Below: Warren Ellis's RED movie.



Not that I'm complaining, oh no. That I would never do, certainly not. This is not just another RED RED Whine.

Tuesday 20 July 2010

I Voted for the Hugos!

And You Can Too!

SF (and by that I mean Science Fiction, quite tolerably with a latter day extension to include Fantasy, hence SF/F; but no, no indeed, not SciFi, and most assuredly, definitively, absolutely certainly, not SyFy) has always been an important part of my cultural life, and of the cultural lives of many of my friends. Ever since - depending upon your age and experience - the start, or the finish, of its golden age, namely the late 1950s and early 1960s. For that was when we bright and promising young future citizens were routinely winning school prizes such as Tom Swift and His Rocket Ship (1954, by John Almquist), or His Outpost in Space (1955, by James Duncan Lawrence); decades before it became politically incorrect to give out any kind of prize to anyone, for anything at all.

You might imagine, judging from these book titles, that Tom Swift was a kind of Harry Potter of his day, only with a somewhat more open-ended franchise. Well, no. The first book in series one was Tom Swift and his Motor Cycle; or, Fun and Adventure on the Road (1910); the last, in series 4 proper, Quantum Force (April 1993). By comparison, Potter is but an eye-blink in the geological epoch of Swift. But the "main sequence" of books all shared that familiar, SF genre-defining, characteristic of constrained speculation.

Subsequent schooldays supplied our spongiform minds with an apparently endless stream of this absorbing literature, whether Gollancz yellow jacket hardback from the school or local libraries, or pulp paperback from tobacconists, purveying Poul Anderson, James Blish (whom we discovered through his Star Trek script adaptations, but who then dazzled us like a doe in the road, with the last word in space opera - his sprawling, gutwrenching, Heinleinesque, eternity-spanning Cities In Flight quadrilogy), British supreme twistmeister John Brunner (who tragically died at the 1995 WorldCon event in my home town), L. Sprague de Camp, Harlan Ellison, Lester del Rey, Bob Shaw (remember Slow Glass?), Clifford D. Simak, or A. E. van Vogt.

Today, it is an almost unique privilege, to be able to read in the blog of one of the undisputed masters of SF, the nonagenarian Frederik Pohl, his reminiscences and firsthand personal memoirs and accounts of those other great enlighteners - those fearless imagineers - Isaac Asimov, John W. Campbell, Arthur C. Clarke, Robert A. Heinlein, Frank Herbert, E. E. "Doc" Smith, and still others. So the very fact alone, that Fred's website is up for a Hugo Award (Best Fan Writer) this year, would possibly have been enough to persuade me to part with the Aussiecon 4 Supporting Membership fee. As a member I'd be eligible, not only to vote in the final ballot of the 2010 Hugo Awards, but also to nominate in the 2011 Hugo Awards!

But Wait There's More

Now if enough isn't enough already, then note that Hugo winner John Scalzi, current SFWA President and creative consultant on TV's Stargate Universe, has recently been making a serious effort to get more people to vote, by personally persuading the many publishers involved to make available for download (only to voters), DRM-free, electronic copies of the nominated books. This year's is a truly bumper package, and the fact that it contains, amid much else, four full novels that I'd intended to buy anyway (oh! oh! oh! and a PDF of Batman: Whatever Happened to the Caped Crusader? written by Neil Gaiman, and illustrated by Andy Kubert and Scott Williams), pushed me over the edge with all the commitment of that van in Christopher Nolan's Inception.

Okay, so never mind that "the books balance". I'll probably end up buying these ones in dead tree format anyway, just as I still back up my music collection with dead plankton platters. Regardless...

Voting for the Hugo Awards means honouring both the genre and these great thinkers and writers, some of whose commitment and dedication to the public understanding of science rivals that of a Carl Sagan, Charles Simonyi, or Richard Dawkins. It advertises a contemporary interest in a viable SF/F scene outwith Hollywood. On the day when Amazon's ebook sales overtook their hardbacks, it carries the message that we still want to pay to keep this quality of writing alive. And we hope that it gives hope, stamina and encouragement, to the new torchbearers - Bear, Doctorow, Kowal, Miéville, Priest, Scalzi, Stephenson, Stross, Valente, and all the rest - thankfully, too numerous to enumerate!

At this self same time, voting for enlightened creativity, of the kind exemplified by the SF tradition, demonstrates our reluctant awareness of, and a longing for a life beyond, the electrochemical anaesthesia that today grips our children - exactly as it did the denizens of Arthur C. Clarke's The Lion of Comarre (1949). What do they know of their reality? It was thanks to SF alone that I left primary school, pre-teen, knowing already of such wonders as the predicate calculus, group theory, hypercomplex numbers, relativity and quantum electrodynamics; having met already the genius of Goldbach, de Fermat, Schopenhauer, Wittgenstein, Galois, Frege, Gödel, Turing, Schrödinger, Heisenberg. My debts of gratitude for such enlightenment and liberation are incalculable, even in principle.

Now Get Off Your Ass

Hey: it's still July. The deadline for voting in this year’s final ballot is: 31 July 2010 23:59 PDT (Sunday, August 1, 2010 02:59 EDT, 06:59 UTC/GMT, 16:59 AEST). So don't leave it until the last minute. Because, well you see, that particular minute is after the deadline, for some odd reason. There's still time to get a supporting membership, complete with access to the Hugo Voter’s Packet, which admittedly you'll have to read rather quickly. And you can still vote - I did!

~

Update [5 Sep]: Fred Wins!

I just enjoyed a relaxing Scottish Sunday morning, following the 2010 Hugo Award Ceremony live from Melbourne via the Cover It Live text feed provided by Cheryl Morgan and Mur Lafferty, at the Melbourne auditorium; and Mary Robinette Kowal, joining in from Dragon*Con. Neil Gaiman was online contributing too, and cheering with everybody else when Fred won. It's like Wil Wheaton often says: I love living in the future! Only the near future, mind you. The live video feed was unwatchable.

Not all of my top choices won their categories. But enough did, and enough of the remaining categories were won by my second choices, that I have to say I'm personally convinced, as in sold, on the merits of the hypercomplex vote counting and recounting system that WorldCon and The Hugo Awards have evolved for this event.

And the main result, the award for best novel, was a two-way tie. What better way can there be to prove to people that their votes matter? Despite the forementioned complexities of that voting system, I can say with certainty that China Miéville would not have a Hugo Award today, were it not for my own, personal vote. Guy owes me a Guinness.

Photo of Elizabeth Anne Hull, Fred, the Hugo, and Steven Silver, by Cathy Pizarro

Calling All Bounty Hunters

Upping The Anti

Almost five years ago, on August 15th 2005, TippingPoint augmented its own research organisation DVLabs with the additional zero day research of a growing network of "extended researchers", through the launch of the Zero Day Initiative (ZDI). The main stated aims of the ZDI were to leverage "the methodologies, expertise, and time of others; encourage the reporting of zero day vulnerabilities responsibly to the affected vendors by financially rewarding researchers; [and] protect our customers through the TippingPoint Intrusion Prevention Systems (IPS) while the affected vendor is working on a patch."

This was a relatively novel approach at the time, although not entirely unheard of. Give or take a matter of some months, VeriSign's iDefense Vulnerability Contribution Program (VCP), an initiative that now "pays more for meaningful high-quality research than anyone", also dates back approximately that far. Their Contributor Portal allows researchers to submit vulnerabilities, then track progress as they are evaluated and processed, "simplifying the overall process and allowing faster response."

In more recent years, there has been a steady increase in the number of organisations buying vulnerabilities from researchers. While these initiatives have established a legitimate, public "market place" for bugs, there has also been a corresponding increase in pressure, from researchers in the field, upon vendors, to do the same thing: to offer bug bounties. In January of this year, for example, Google started a new program paying security researchers $500 for each security bug found either in the Google Chrome browser, or else in its open source code base, Chromium.

The Mozilla Bounty

The Mozilla Foundation, whose efforts in this direction originate an even more venerable six years ago - with the help of the start-up funding provided by Linspire and Mark Shuttleworth, in 2004 - has now announced, in its latest initiative to enlist more help finding bugs in its most popular software, an increase in the cash reward for reporting a valid, critical security bug. Your remote exploit will now bag you $3000 (and of course, one Mozilla T-shirt), a considerable hike from the original $500.

The new prize applies to original and previously unreported, critical or high severity remote exploit security bugs "present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products."

Lucas Adamski, Mozilla's director of security engineering, wrote in a blog post, "A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information [...] We hope other organizations will match our program and actively support constructive security research."

Meanwhile, such calls are also increasing for other vendors, for example Microsoft, who have seen some recent tailing off in the number of exploit research reports being submitted to them gratis; to redouble efforts, the better to engage with the community of researchers. Calls like this one, from Kaspersky's Threat Post.

Update, July 20: Google just updated their vulnerability disclosure policy, while on the Chromium blog, simultaneously increasing their maximum reward for single critical bugs to "eleet", i.e., $3,133.7 - is that seven cents, or seventy? - celebrating, they say, "approximately six months" of the Chromium Security Reward program. So, nothing whatsoever to do with the Mozilla announcement, then.

Update, July 22: the tremors continue, now with Microsoft reluctantly shifting policy away from the private reporting of vulnerabilities, and towards a new model labelled Coordinated Vulnerability Disclosure. What's new about this model: public recognition that the release of details about a bug before a patch is ready (in cases when attacks are already happening) may sometimes be "necessary". There are also persistent rumours that MS may pay bug bounties at a future point; an option they've always publicly discounted, and today denied again.

Thursday 15 July 2010

John And Linda's Big French Adventure

A Suspenseful Start

We get the car MOT tested and certified, serviced, and taxed. We also get that pesky broken drive shaft replaced, you know, the one that stranded us on the M74 on-ramp that morning. Then Thursday, less than a week before departure, I notice the clutch slipping. Fifth gear has become third. It only happens once. I ignore it. Linda notices same thing next day; I try papering over the cracks. She's having none of it, and Saturday, wheels out Little Nephew's dad, the general skilled tradesman and particular car mechanic. Now of course, he reckons anyone who'd risk driving to France on a clutch like that, needs more than his transmission examined. So I agree, but by now all the garages are closing down for the weekend...

Monday morning at 8, I'm waiting outside the garage. "So you want a price..." asks the owner. "No, I haven't got time for a price, we're leaving for France on Wednesday night!" Yeah, I know. Colour me suck.

Brother-in-law begins a period of solid favours, driving both of us to work, and home again, over a period of three days, while also chasing up the car repair on our behalf. But there's no word at lunch time Monday. Later I learn there's also a problem with the gearbox. Tuesday, that component's gone off to some or other remote kingdom apparently named Cambuslang, for stripping down, examination and rebuilding. Wednesday there's still no news on price or delivery! Linda's on the phone to them, unnecessarily as it turns out, as they've simply been "managing expectation" - the car's ready at 3pm.

Also, the problem of how much money to take on holiday with us, has now been quite neatly solved. Never mind, if nothing else in life is free, then at least we are! Free to go! On holiday!

Liberté!

Free lunch! Joan and Dave take us in for a couple of nights in London. Due to a late departure occasioned by our recent immobilisation, we arrive many hours later than originally planned, to discover that they've only waited patiently for us. And as we all have dinner together, so the wine, the conversation and the laughter flow. Next day - but only once everyone's back up to escape velocity - we're off to the local shops together (Waitrose! Yay!) then the garden centre. Sheer heaven, great coffee, and you'll find more and varied Victoria Sponges there than in Emily Blunt's bathroom.

Free entertainment! Evening brings a wonderful relaxation, enjoying the surprisingly varied wildlife in their Enfield back garden: pollinating insects, visiting cats, squirrels, performing troupes of crows and magpies, swifts and swallows and starlings... and another magnificent meal, with all three types of wine. Then it's Saturday, and everyone's up early (except Dave, who'd warned us he'd be hiding); Joan has her date with Wimbledon, we have ours with Portsmouth. Ae fond kiss, and then we sever...

Free Luxury Cruise! There must have been a comms failure at the travel agent, as we thought we'd booked a 2 hour Normandie Express crossing. Now we are somehow just going to have to make do with the 2.200-seater Mont St Michel. Wow, this ship carries as many cars as the Express does people! And it's not even busy. There's a cookery demonstration in one of the restaurants, with free samples. After that, we spend most of the 6 hour crossing gently sizzling on the sun deck.

Squeee! The motor vessel Mont St Michel

Free from foods! Of course there's a down side to arriving in Caen at 22:00 local time, five hours later than planned. We won't be able to shop for our foodstuffs tonight. Or tomorrow, dimanche, when all the shops are closed (reminds me of our picturesque Isle of Lewis holiday a few years ago, where hanging out your washing on a Sunday would have been such a cultural affront, that everyone from the travel agent and brochure writer, to the local police force and the property owner, felt obliged to counsel us most sternly against it).

Too many degrees of freedom! Armed only with the travel agent's rough, mapless and incomplete directions, plus my illegible Google Maps printout, we shoot off the car ferry in a random direction, promptly getting lost. Egged on by the leisurely pace of the ship, the sun now starts its setting thing, which is profoundly annoying. It's too dark to read a map, already printed too small to be legible even when the lights were on. We're fated to get equally lost at least another four or five times before daybreak. These French road markings are unfamiliar, dim and poorly maintained. There are no cats' eyes here, even on the motorway stretches; the only sources of light are when the A84 speed cameras (pour votre securité: contrôles automatiques) temporarily blind me like an extra from Men In Black.

Freed of our money: on arrival, the keyholder announces the requirement of a 150€ deposit. We have a total allowance of 200€ in our pockets, intended for buying food etc. over the next few days. The travel agent's brochure had mentioned deposits, but said we would be informed if one was required in our particular case, and if so, how much. Needless to say, we were not so informed. But now it's 4am in a foreign country, so of course we pay. We are not offered a receipt. Note: the deposit was refunded fully and without prompt upon our departure; our sole complaint is with our travel agent.

Freedom from television: while I can honestly say that we never once missed either the PC or the Playstation, and equally honestly claim not to have looked at any of the Mario or Zelda games we brought along with the Nintendo DSi XL, I'd have to add one small caveat in the case of the TV. We both have always enjoyed Wimbledon, our annual feast of tennis, quite religiously. Here, whilst the brochure advertised TV as a provided facility, we find it's limited both in size (a 14" portable of the CRT type) and in choice. There are just two non-subscription channels: the news in French, and perpetual advertisements for thigh trainers. And then the news channel disappears after the first 5 days. Luckily, we do otherwise consider ourselves to be on holiday from TV, so this is mostly a good thing. Evenings are for nightcaps and games of backgammon, after all.

Egalité!

Like the England we just left (where we'd dutifully promised Dave we would support the boys in their World Cup match against Germany, but after examining the quality of tat available in the service stations, limited that support to a single Mars Bar with a St George's flag wrapper), the whole of France is destined to remain at a constant and cloudless 30C for virtually the entire duration of our stay. By now we are well into the recently unaccustomed habit of remaining fully factor-forty'd at all times, but even with that, and with after-sun lotion too, we are bound to return quite burned.

Now, France wouldn't be France without a food critique. Yes, I'm well aware that Nothing is more boring than a description of food. Be grateful I'm not describing dreams to you. Anyway, you can stop reading whenever you like, but it's my blog, so: Dimanche, for reasons detailed above, is catered out. Starting cautiously with a Cheeseburger Maison lunch, soon I'm into the full swing of a perfect filet Béarnaise dinner, as Linda chomps down on a kilo of moules à la crème.

Incidentally, and speaking from subsequent experience: don't ask for water with your meal. Not even when it's the one phrase that you've practised most, and notwithstanding the rare fact that you know how to specify exactly your desired volume, temperature, and degree of carbonification. You will be served sufficient cool water anyway. Only difference is, if you ask for it, you pay for it. The same goes for the bread accompaniment to your moules marinières.

Lundi, we obtain coffee at last! But it's a close thing as I pick up a pack of unground beans, which then Madame kindly replaces with something more suited to the filter machine we've uncovered back at the gîte. We begin a more economical diet of baguette, coarse pâté, olives and salad. Linda discovers La Bolée de Paimpol cidre, which becomes a staple, while I seek out the cheap Pinot Noir (there's none; see comments on the Euro below).

Mardi sees our first excursion, a pleasant hour or so spent cruising around Île-de-Bréhat and its archipelago, whose natural beauty we can already see just a few minutes' walk from our door. This is the day our romance with France truly begins!

Mercredi we try a trip to Tréguier (Breton: Landreger), but end in error in Trédarzec. Well you see, Tré all look the same to me. Never mind, there's an excellent pizza van around here. And after a brief local tour, we do succeed in reaching the beautifully peerless Tréguier.

Jeudi, le 1er juillet: after a very lazy start, we set out around noon for Dinard and Saint-Malo. A great sightseeing, sun soaking day. The city walls of St Malo are formidable, being well preserved (and where necessary, restored); the views are fantastic, both outward and in to the town centre.

Vendredi: ah, il pleut! Panic to get the big canvas parasol indoors and dried in the garage. This will be our shopping day. And the sun will come out tomorrow.

Samedi: oui, il fait du soleil, and it's back with a vengeance. Sunbathing at Paimpol's Plage de La Tossen, sharing a blanket which we continually have to move to keep my half in the shade, until Linda is finally tempted into her bathing costume and the sea. Later at midnight, and again at 4am, I'm outside under a clear night sky, alone save from an unseen and slightly unnerving bustle in the hedgerow, but taking in some unfamiliar southern stars and constellations.

Dimanche: chicken dinner! Linda has assumed all cooking duties, and in general is coming up with some great meals, striving to remain as French and in fact as local as possible (by way of recompense, I'm doing all the driving - except when I break a sandal, and Linda gets to drive on the wrong side of the road for her first time ever). But sometimes convenience is king, and today we use a pre-rotisseried bird, preparing just an accompanying and quite French salad.

Lundi: and another week begins with our latest medium-range excursion, a road trip to Brest. Chock full of the usual yacht-owning suspects. As we sit in the sun (for what else is there to do in this heat?) we people-watch, swapping bets on what the boat owners are carrying on and off the boats, in those boxes and packages jealously clutched to their chests.

And so it goes for our second week, although that will be the last of the long drives until we're homeward bound. As for convenience being king: the gîte boasts a kettle barbecue, but we use it only as the base for a disposable one, to avoid all that cleaning.
The little coastal towns seem built to a pattern. There's a central square, usually with a war memorial, marked "Aux enfants de...", and inscribed with the names of the fallen. There's always at least one boulangerie et patisserie, and usually a pharmacy too. The pharmacies all utilise exactly the same sign, a very dynamic green display. Why so many and so prominent? Well, on the evidence of our experience, I think that the supermarkets are forbidden to sell painkillers...

There's usually a sign to la plage, and while the size of these little beaches varies quite a lot, they're alike in being consistently clean and tidy. Coastal water quality has I guess a lot to do with the success of the local seafood farming industries.

Some of the fresh crab claws that are on sale at the local Carrefour ("Crossroads"), and to which my lovely assistant (pictured, left) will become addicted over these two weeks, have shells the best part of ¼" thick.

The single currency has been disastrous for tourism in the region, according to one artisan we meet, running his own exhibition of fascinating artifacts and articles made from found materials - "100% natural". We briefly consider a clock mechanism mounted in a roughly carved piece of driftwood, but it's no sale. Linda confirms his evaluation, at least allowing that everything used to be much cheaper when she previously travelled in France. Today it's either the same as back home, or else more expensive.

And don't talk to me about roaming charges! I was serious when I said we never missed the PC, or by implication the Internet. In fact when we saw our first ever post-sunset, and therefore very high and wide, full double rainbow, I pointed and uttered something like "Linda look, a full double rainbow, all the way round!" without any inkling whatsoever that the phrase "Double rainbow, all the way" was right then in the process of becoming such a big web and twitter meme.

But I do confess on just one occasion, to sneaking a peek at a few of my favourite geeks' blogs, using my phone. One of these - I won't name names - had no dedicated mobile version, and the sheer quantity of flash advertising emptied my call credit of nearly twenty quid in fewer seconds.

Fraternité!

I describe above how we arrive in France late, and in Paimpol, and eventually Ploubazlanec, later still. What I don't mention there is the resignation that overtakes me, as Linda comments that she'd be relieved to get into the house, and I say I can't see us finding the house at all tonight, and even if we do, gaining entry. The GPS on Linda's Android thinks we're in Spain, and I almost believe it, resigned already to sleeping in the car tonight.

But the property owners remain gamely there for us, available at the other end of the phone, for the two hours (or so it feels) that it takes for us to communicate through the darkness and unfamiliarity, where we are, and how to get to where we want to be. In all that time there is not one note of exasperation - the closest being a chuckle of wry amusement, as Linda and I repeatedly pass the phone to each other, trying to glean the maximum available information from our struggling verbal exchanges. In this attempt to convey my appreciation... words just fail me. Stupid, lazy words!

Similarly, Emilie the key holder deserves our eternal gratitude and regard, for gracefully accepting the disturbance of her house and family at 4am by a couple of strange Scottish blind mole rats, who could find neither the illuminated doorway of the holiday property, nor the note she'd left there. Next morning she visits us, bright and cheerful, making sure that we know where everything is, how it works, why it doesn't. We mime a large outdoor umbrella to each other, before realising we have a word in common: parasol. Ah, oui.
~
Brought but unused: shirts, 3 pairs of jeans, shoes, socks. All rejected in favour of tees, shorts and sandals.
~
Bought but unused: 24 Weetabix, 6 litres of milk, 6 eggs. Our immediate adaptation to chiefly French cuisine saw our dairy & egg requirements diminished at a stroke.
~
The coastal residents of the Côtes-d'Armor are unusually proficient in the correct use of their own language, and similarly skilled when it comes both to understanding, and to making themselves understood by, me. Further into the country's interior, however, these communication skills do unaccountably but discernibly tail off...

Seriously: when armed with only 22 words of French and an AA phrase book, you only begin to sense the meaning of fraternité once you've spent some time experimenting with the social to-and-froing, in native language, of greetings and pleasantries. Rather than walking up to the patisserie counter like a typical rosbif and baldly stating what you want, try starting out instead with a simple bonjour, later the more courageous bonjour madame or mademoiselle (caution: be certain to choose correctly, and in particular don't make the mistake of assuming that any woman will appreciate being addressed as (the equivalent of) my little girl!), to be rewarded by increasingly positive facial feedback. The more effort you put into these social lubricants, the more your struggling cultural efforts will be appreciated. Never miss an opportunity to drop in another merci or au revoir. These will almost invariably feed back and build your confidence.

And yes, since you ask, I did made that mistake. The mademoiselle one. In spite of having been well warned, aye forty years ago... The unfortunate victim of this gaffe was the (in my view, impossibly young and glamourous) proprietress of our favourite Paimpol restaurant. She took it in excellent humour, first asking Linda, "Do you speak any French?", before turning slightly toward me, saying mock-dismissively "Vous, I know, un peu." And with her perfectly Gallic gesture the truth was out. Oui, un petit peu. Très petit.

Holiday Reading

LK: Driving Over Lemons: An Optimist in Andalucia [Paperback], by ex-Genesis drummer Chris Stewart, and with a blurb by Peter Gabriel.

JK, week 1: When Giants Walked the Earth: A Biography Of Led Zeppelin [Hardcover], by Mick Wall. Very generously loaned to me by one of the managers at work. A true eye opener, leaving very little room indeed for hero worship. And the book's not half bad, too.

JK, week 2: The Greatest Show on Earth: The Evidence for Evolution [Hardcover], by Richard Dawkins. A gift from Linda last Christmas, it's taken me half a year to find time to catch up with the good professor's latest written output. At times written for the feeblest common denominator, nevertheless this does contain some material, instructive to the layman, and not covered in his previous books.

Back To Black

Samedi, à 4 heures local time, the phone bleeps my preprogrammed reminder: "Go Home!"

I'd been quite unprepared for a holiday as good as this one. When anyone asks how it was, I'll say "best ever." And when asked to elaborate, I'll say it was like three holidays, describing how we followed a fantastic 2-night stopover rarely seen family visit, with an unexpected, full-day luxury sunshine cruise, and finally found ourselves with still a full two weeks of searing French summer to come after all that.

Linda's already up, loading the few remaining bags into the car. The main cases were packed last night, then I lay awake waiting for the owners' return, which happened about 1am. We'd arranged a handover meeting for 6am. When Mr Koffe arrives, we have a pleasant if bilingual chat prior to leaving. He checks only that we haven't smashed all his crockery, then returns our deposit. Our grocery money from two weeks ago! We leave. Au revoir, Monsieur Koffe, et merci beaucoup, au revoir.

The drive to Caen and the Ouistreham car ferry is a total pleasure in the early morning quiet and the mist. Navigation is effortless too - signs to Caen appear almost immediately. Quite a contrast from our arrival! We have a couple of hours to spare before sailing. Yeah, coffee would be good...

Can't report much about the return ferry crossing, other than it's obviously a lot faster on the Normandie Express, but I half-sleep all the way, simultaneously watching both The Lion King and Scooby Doo and the Samurai Sword. Linda fetches up a wee lunch sandwich for us. On arrival at Portsmouth, heavy sea traffic adds a slow approach and twenty minutes to our journey. By now I have worked out that our hatchback, being at the end of a line of 7-seaters and big booted sedans, will be last off. Which means a customs inspection; contrary to lore, their psychology is not too terribly advanced. Linda handles questions about our wine and cider stash with supreme confidence. One day, when I start importing illegal tobacco, sundry plant materials, or various other chemicals, she will be my driver.

It's still sweltering out here; 32C apparently. Linda grabs the wheel. Drives us down and through Portsmouth, and up the A3, M25, M1, M6, as far as Blackpool.

- Where did all the time go?
- Well I dd warn you, the only way to make your holiday last is to stay in every day, stare at the walls and do nothing. But no, you had to be out adventuring and doing interesting stuff...


It's just beginning to get dark as we finish our double whoppers while the Break's King closes at 9pm. Noting disapprovingly that The Colonel will remain open for yet another hour, I take over driving duties for these last few miles. As the light fades, so the rainclouds gather, leak, drizzle, burst and fall.

Finally approaching Glasgow after a 21 hour travelling day, again we arrive in the black of midnight, this time to the sounds of torrents splashing on the glass, rippling under rubber. Surface water on M74. Caution.

Tuesday 13 July 2010

Orphaned Land

"Abraham" I Replied

Linda had just started a random game of Who would you like to meet from history? The figure of Abraham, the father of the people of Israel, standing at the visible confluence of all the world's great monotheistic religions - Christianity, Islam, Judaism - is a man whose opinions on certain subjects I thought I'd surely like to hear. How would he feel about these systems of belief, their various sacred texts, with all his links to them, to the billions who have followed them, and the millions slaughtered and maimed in their names over these millennia?

But at least we know who his favourite Progressive Metal band would be! That would be Orphaned Land, an Israeli outfit with a huge and devoted following among Muslims and Arabian people.



The band's name refers of course to the holy land, and their fourth and latest full length masterpiece studio album, five years in the making, The Never Ending Way of ORwarriOR (which means Warrior Of Light)...
...is a sophisticated concept album taking ORPHANED LAND’s unique brand of exotic, heavy music to soaring new heights in terms of complexity and catchiness.
ORPHANED LAND spent over 600 hours in the studio cooperating with The Arabic Orchestra of Nazareth, using multilingual vocals (e.g. English, Hebrew, Arabic, Yemenite), countless Oriental as well as other traditional instruments such as: saz, santur, arabian flutes, middle-eastern percussions, cumbus, bouzouki, violins, various kinds of guitars, piano...

Although no one in the band is religious, they cannot equally claim to be apolitical, as their music campaigns consistently for peace between Israel and the Arabian world. Even the calligraphy on the new album combines letters from Hebrew and Arabic, moulding them "to create a symbol of peace".

The insensibly prolific Steven Wilson, Porcupine Tree's captain, plays keyboards on this release. He also mixed the album at his own Hemel Hempstead studio, No Man's Land. The collaboration is no surprise to PT/SW watchers; Steven has a side project Blackfield, with Israeli rock star Aviv Geffen, and at one time also collaborated with Bryn Jones (Muslimgauze).

Thursday 1 July 2010

Security Digest #10

All the summer's software security trivia and miscellanea are here!

Symantec Acquires PGP

This isn't a business blog. and this isn't exactly up-to-the-minute news - the agreement having been announced at the end of April, together with the simultaneous integration of GuardianEdge - but I do think that the news of Norton punters Symantec's acquisition of PGP Corporation merits a mention.

It is of particular interest to those in the security business who remember the very first days of Pretty Good Privacy (PGP), its inception in 1991 at the fingertips of Phil Zimmermann. The first widely available public key cryptography software, it led to a criminal investigation of Phil by the US Customs Service; at that time, strong cryptography was treated as munitions by the arms trafficking export controls in force. He formed PGP Inc when the government finally dropped this case in 1996. To this one man, we all owe a debt of gratitude for our easy access to decent cryptography today.

There have been acquisitions of PGP before; by Network Associates in '97, then by PGP Corp in 2002. Now the bigger fish gets swallowed by an even bigger, aggressively acquisitive one.

Windows Live™ and the SDL

Microsoft's web application development organisations use the SDL just as much as the next guy, and the Windows Live™ team are out to prove that, in the run-up to their Wave 4 release, with the latest addition to the SDL web portal's published internal SDL case studies:


The partition of mitigations is interesting. Windows Live™ comprises two distinct types of app development. Namely: desktop clients such as Messenger, traditionally vulnerable to overflows of integer arithmetic and buffer sizes; and hosted web apps like Hotmail, which by contrast see plenty of cross-site scripting and request forgeries, open redirects and JSON hijacks.

This paper details the lessons learned by the team, as they adopted and integrated, even as they discovered and developed, the latest SDL requirements.


Security And The Cloud

Subject says it all, and that subject is SDL's own Michael Howard. Who also says,

We wrote this paper because no matter how many defenses we add to Windows Azure, it is important that people building software or hosting services in “The Cloud” understand that they must also build software with security in mind from the start.

The relevant paper is here (209KB docx).


Well I'm off to ice another round of Blue Lagoons, see you next time.

Tweets - June 2010