Alkahest my heroes have always died at the end

November 27, 2006

predictions… “Cyber Monday”

Filed under: Technical — cec @ 11:40 am

Let me get a prediction in here before the data come out tonight or tomorrow.  “Cyber Monday” will be a disappointment to retailers.  They will do more electronic business than they did last year, but not significantly more than they did last Friday or next Monday.  Any uptick is going to be small and due to people paying extra attention to online sales.

“Cyber Monday” (sorry, I can’t help but put it in quotes) is yet another marketing ploy.  The theory is that when people go back to the office, they’ll use the high-speed connection to shop online.  The problem is that the majority of people who shop online already have a high-speed connection at home.  Add to that the companies that are cracking down on online shopping (and game playing and general web surfing) from the office and I’m guessing that it’ll be a non-event.

November 24, 2006

Poindexter

Filed under: Random,Security,Social,Technical,University Life — cec @ 12:55 pm

It’s taken me a bit to write about Admiral Poindexter’s visit and the small group talk we had with him. Let me start by reminding folks that here’s a guy who was convicted of lying to congress. The conviction was later overturned on a technicality. He’s also very politically savvy. I once asked my father if he would ever pursue becoming a general in the army. He told me that he was hoping to make full colonel (he later retired as a lt. colonel), but that becoming a general required a literal act of congress and that you needed to become a politician. I would assume the same thing is the case with an admiral and doubly so in the case of Poindexter who managed to become the highest ranking geek in government. All of which is to say take my impressions with a grain of salt.

When I met Poindexter, he came across as a very kind, gentle and grandfatherly figure. He smokes a pipe and was more than willing to tell stories about his career. It seems that he started in the Navy in college, finishing up with a degree in engineering (w00t!). This was around the time the soviets sent up Sputnik. The first Russian satellite caused something of a panic in the US and, arguably, did more to encourage investment in science and engineering than any other event. The military’s response was to select 5 men from the army and 5 from the navy to pursue graduate degrees in science or engineering, anywhere in the country. Poindexter chose physics at Cal-tech. After discussing he trials getting into and then through grad school, he notes that he’s never taught physics, never been in a lab, never really used his degree, but it did give him a solid understanding of the scientific method.

After gradschool, he had several different positions and in each, he played the role of technology evangelist. One of the first to use computers in the Navy, set up the first video conferencing system among the nation security counsel offices, first to use email (on a mainframe!) in the whitehouse, etc. Like I said, the highest ranking geek in government.

Shortly after September 11, Poindexter was asked to head up the DARPA Office of Information Awareness (OIA) projects. In talking with him, I definitely have the sense of a man who loves his country and truly believes that terrorism is the greatest threat it has ever encountered. I disagree with him regarding the extent of the threat that terrorism presents, and so he and I may disagree on the appropriateness of the OIA, but unlike many politicians, I don’t think that he’s using the terrorism to advance other goals. I don’t believe that he’s hypocritical about his work.

So, what is his work? One of Poindexter’s chief complaints is that he (and TIA) were unfairly maligned in the media. If you recall, TIA was presented as a giant “Hoover” of a database. The government would collect information from a number of private sources and perform data mining on it in order to identify (potential) terrorists amongst us. Lots of us whom are concerned with security and privacy were worried about this. The privacy angle is disturbing enough, but from the security stand point, you are creating an attractive nuisance. The first hacker that comes along and can get through the governments security measures is going to have a huge amount of data. Consolidating databases also increases the likelihood that the businesses involved will use the information. For example, can you be denied insurance if you are overweight, but grocery records indicate you buy junk food?

Beyond the privacy and security concerns was the very real question of how this was going to work, i.e., would it really keep us safer? Traditional data mining techniques find statistically significant patterns in large data sets. Terrorists (one hopes) are not statistically significant – unless there are a lot more of them. This is actually one of Poindexter’s complaints – that his proposal should never be called data mining, data mining won’t work. He was working on a “data analysis” system.
In his presentation, Poindexter tells us that the media got it wrong. He never planned a single huge database. Instead, he planned to leave the data where it was and to build a distributed database on top. Each participating database would make use of a “privacy appliance.” The privacy appliance would be connected to a query system and would anonymize the data before sending it to the query system.

To detect terrorists, he would have a “Red Team.” This is the group that is intended to think like terrorists. Their job is to hatch plots and to determine what it would take to implement the plots. For example, blowing up a building might require large amounts of fertilizer and fuel oil. Purchasing these supplies would leave a footprint in “information space.” The Red Team would pass this step along to the analysts who would then query the system with this pattern to find anonymous individuals matching it. Of course, purchasing fuel oil and fertilizer would flag every small farmer in the country. So the Red Team would go back and look at step two, perhaps renting a large van. New query pattern, new search. Repeat until you either don’t find anyone, or until you are specific enough to get a legally authorized search warrant.

Poindexter also notes that this was a research and not an operational program. That the “total” in TIA was meant to encourage researchers to think broadly. Finally, that the reason the privacy part did not get off the ground sooner is that none of the researchers were interested in this aspect – they only received two privacy proposals.

Interesting idea. A few problems:

  1. I’ve gone back through the documentation available at the time and I see nothing about either red teams, distributed databases or privacy appliances. The early architecture diagrams all seem to indicate a monolithic database.
  2. It’s still not clear to me that this will work. The red teams will have to come up with millions of patterns and even then, you are not guaranteed to come up with everything.
  3. Regarding research vs. operational. This is a lovely thought, but at the time, iirc, there were reports of TIA receiving real data. In fact, even as a research project, it would need real data in order to test.
  4. Regarding the “total” in TIA – that was a pretty scary logo if that was the case.

So, it may be that this is a refinement of the original ideas. In which case, they seem like a good refinement. From the privacy and security standpoint, this seems to be better suited that the original ideas. However, I don’t think that Poindexter was being entirely forthcoming.

All in all, a very interesting data and a very interesting man.

November 15, 2006

/me grumbles

Filed under: Personal,Technical — cec @ 10:20 pm

bah – the past few nights, my website/blog keeps getting screwed up because all of the disk space on the drive is consumed.  the first night, i freed up some space, but didn’t pay attention to how much was free. it happened last night and again i freed up space, noting that i had about 700 MB free.  Tonight, it happened again and I finally tracked down what happened.  I do an rsync backup to an external drive every day.  A couple of days ago, I rebooted the machine and the external drive didn’t mount back up.  So I wound up doing a backup of my home directory and root partition to the root partition.  Of course the partition filled up.  Oh well, problem solved now.  I just need to be more careful in the future

November 6, 2006

North Korean nuclear test

Filed under: Security,Technical — cec @ 8:03 pm

Well, it seems that we finally know what happened with the North Korean nuclear test that fizzled.  They apparently mistranslated the Arabic documents the U.S. posted online.

Okay, so neither of those is really very funny.  On the one hand, the U.S. posted a whole host of Arabic documents from Iraq that had never been examined before in the vague hope that someone would be able to find evidence that Iraq had a WMD program before we invaded.  This was idiotic.  It’s equivalent to my posting an entire database of personal information in the hopes that someone online could determine if there were social security numbers in it.

On the other hand, we’ve got a foreign policy failure under this administration that resulted in one of the most unstable countries in the world building a nuclear device.  I know that it’s been said that the weapon was a dud, but I haven’t seen any recent analysis on this.  Determining destructive yield from seismic data depends on the magnitude of the quake, the depth of the explosion and the matrix it was contained in.  Last I heard, the sub-kiloton results were based on hard rock and a magnitude of ~3.8.  The USGS says the magnitude was 4.2.  If the matrix was softer, this could easily be a 5 kiloton weapon.  But then, I’m not a nuclear proliferation expert, so I could easily be missing new data.

October 23, 2006

Biometrics – fingerprint scanners

Filed under: Security,Technical — cec @ 10:00 am

I recently had a small argument with a vendor selling biometric fingerprint scanners tied to your credit card number.  He said that they were the greatest and most secure thing ever; I said that there weren’t any standards and that the security of the devices was questionable.

I wish I had seen this earlier.

YouTube Preview Image

October 17, 2006

Things that make you go blind

Filed under: Technical — cec @ 4:42 pm

No, not that – Programming.

I need to do some statistical work to test a theory.  The best approach in order to compare my results is to do the work in R.  But it looks like I’ll need to extend a package.  I download the package from CRAN (the Comprehensive R Archive Network), unpack it and start trying to figure out how it all works.  Unfortunately, it is written in Fortran, C and R.  Untangling it will take forever.

Maybe I’m better off just trying to extend it within R itself – which is of course how the original package writer got into this mess in the first place.  🙁

October 13, 2006

Thinking about security and usability

Filed under: Security,Technical — cec @ 11:06 pm

IT security (and for that matter, other security concerns too) are often seen as conflicting with usability. There is something to that. If you take any given technology and turn up the level of security it provides, you will almost always decrease the usability of the system.

Consider passwords. If people are allowed to choose their own passwords, they will typically choose something very usable for them. They’ll pick their dog’s name, their wife’s name, their userid, etc. These passwords don’t provide much security. To compensate, we often turn up the security knob and require “stronger” passwords, e.g., minimum of six characters with no dictionary words and multiple “character classes.”

security-usability.pngAdjusting the password strength knob is reasonable to an extent. I’ve recently heard security officers consider requiring fifteen character passwords with multiple character classes. Such a password is unusable. Any system that requires that level of security should not be protected by user chosen passwords and possibly not by passwords at all. To maintain usability, while increasing security, you have to use a new technology.

Consider the graph to the right (click for a larger view). The graph illustrates this principle. The blue line represents a given security technology. As you increase the security, you decrease the usability. In such a security-usability graph, we really want to be in the upper right corner of the graph. But our blue line can’t get us there. When we make the passwords more complicated (secure), they become less usable. To get further up in the graph, we need to change the technology and shift the security curve to the right (the green line). For example, we might allow weaker passwords but require two factor authentication with a smart card.

Unfortunately, many proposed security technologies might even shift the graph to the left (the red line). These technologies provide less security for the same degree of usability.  Think of the prohibition on liquids while flying.  This provides no increase in security, while greatly decreasing the usability (or at least the enjoyability) of flying

security-usability2.pngIf we’re lucky, our security curves don’t look like the graph above and instead look more like the one to the left (click for a larger view). The advantage to a curve like this one is that there’s a fairly natural optimal point. We can increase the security while barely affecting the usability – at least up to a point.

I don’t know what the security curves for most technologies look like. But security technologists need to consider this and determine both the level of security and the level of usability needed in a given system. If you can’t achieve both, then you might need to think about a different approach or a different security technology. Trying to achieve a desired level of security without considering usability will result in the users ignoring or bypassing security in the future.

Just some thoughts.

September 24, 2006

Stock spam

Filed under: Security,Technical — cec @ 6:26 pm

One of the disadvantages of having so many email accounts is the number of spam you get. Recently, I’ve been noticing an increase in stock spam making it through my spam filters. I’ve been wondering how effective the spam is and whether or not one could make money shorting these stocks.

Apparently, I’m not the only one. The local paper carried a NYT article titled “Many people fall for stock spam.” In the article, the author describes the work of Frieder and Zittrain. Frieder and Zittrain found that pink sheet stocks that were heavily touted in spam were significantly more likely to be traded than non-touted stocks. Purchasing these stocks would lead a 5.25% loss within two days. For the most heavily touted stocks, the average loss was almost 8% in two days.

To get a sense of what these look like, I read through the 700+ spam messages collected in my spam folder over the past week. I feel like I’ve been dumpster diving. However, amid the emails claiming that I can enlarge body parts, get cheap watches and drugs, improve my sex life and buy human growth hormone, I found a few dozen messages touting 10 different stocks.

Looking at the stocks online shows that, sure enough, in the day or two around the time I got the spam, there was a substantial increase in the trading volume and in several cases, there was noticable increase in the share price. Now if I really wanted to test this, I would start selling these stocks short any time I received stock spam. Figure maybe a thousand dollars per stock. A 5% drop on a shorted stock in two days is nothing to ignore 🙂

August 22, 2006

carrier thermidistat design – let’s put it in the category of needs to be fixed

Filed under: Personal,Technical — cec @ 10:56 pm

Back when I was a grad student and just about to finish up, the school of engineering turned a class of 60 freshman over to me to teach intro to numerical methods for engineers. I tried to liven things up by emailing the occassional engineering funny to my students who even reciprocated. The following is a brief excerpt from an engineer identification test that was sent to me by a student.

To the engineer, all matter in the universe can be placed into
one of two categories: (1) things that need to be fixed, and (2)
things that will need to be fixed after you’ve had a few
minutes to play with them. Engineers like to solve problems.
If there are no problems handily available, they will create
their own problems. Normal people don’t understand this concept;
they believe that if it ain’t broke, don’t fix it. Engineers
believe that if it ain’t broke, it doesn’t have enough features
yet.

That brings me to an issue I’ve been having. A couple of years ago, we put in a new heatpump with humidifier, it came with a new thermidistat which didn’t seem to work too well. When the A/C cut on, the temperature on the thermostat rose several degrees, at one point jumping from 78 to 86, while the temperature in the area remained constant. I realized that the problem was the relays. The A/C kicks on, the relays heat up and the thermister gets hot. We called the installer, got a new thermidistat. It did the same thing.

We discovered that we could use a small fan to blow air on the thermidistat. That worked well, but was irritating. So we moved the thermostat to a place with more airflow. Same problem, but to a lesser degree – the A/C cuts on and the system jumps from 78 to 79. Of course, to get it back down to where it would shut off, the thermostat ran the A/C until the house had cooled to about 75. Bah.

Finally, this weekend, I opened up the thermostat and added some redneck engineering to it. I insulated the relays using cotton balls and tape. So far so good. If this didn’t work, the next step was to just buy a different model of thermidistat. But let’s face it, do-it-yourself insulation is more fun. So, for the record, we can officially put the design of the carrier thermidistat in the category of things that need to be fixed.

UPDATE: let’s spell carrier correctly, shall we? 

August 14, 2006

things that make a security officer cry

Filed under: Security,Technical — cec @ 3:33 pm

I spent a lot of time last week looking at an application in order to assess its security. The thing that was troubling me was that this is a web application and the primary form for data entry was defined like:

form name=”foo” method=”post” action=””

This means that the nothing happens when you hit submit on the form – at least not in the html world. So, I took a closer look and found that each of the buttons (submit and clear) actually had a field “onclick=’doSomething();’” attribute.

Okay, so we’re dealing with javascript. I can handle that. I grab the included javascript file and realize that I’m dealing with something exceedingly strange. The whole script is one line long and contains very little valid javascript. Instead it contains what looks like a brief function, a ton of line noise and a bunch of words at the end that are delimited with pipes (|).

Since it’s my job to be paranoid, I think, “ah ha! someone has something they’re trying to hide.” It takes me a bit, but I realize that the java script is actually an eval function with a number of arguments. Poking at the arguments, I realize that one is the line noise, one is 62, one is an array of words and one is the number of items in that array. The code at the beginning basically unparses the whole thing. It breaks the line noise into tokens. The tokens are indicies into the array in base 62! Base 62 b/c you can use numbers and upper and lower case letters for each digit.

The code takes all of the tokens and replaces them with the word in the right position. It then runs an eval() of the whole thing. Armed with this, I alert() on the final command, only to find that the whole thing is a fairly simple client side validation and Ajax based POST. There’s absolutely nothing sensitive there!

*sigh*

Update:  spoke to the developer.  This wasn’t an attempt at obfuscation, it was actually a test of a program he downloaded that is supposed to be a javascript accelerator.  It accelerates by creating a smaller version of your javascript so it downloads faster!  Never mind that it then takes 5 seconds to unpack the stupid thing.  🙁

« Newer PostsOlder Posts »

Powered by WordPress