2010 08 15

From TheCommandLineWiki
Jump to: navigation, search

Contents

News Cast for 2010-08-15

(00:17) Intro

  • Back from a good but cram packed trip to San Francisco
  • Will try to find time soon to write up my thoughts, personal and professional
  • In just a few weeks, will be on the road again, to Atlanta, GA
  • Dragon*Con is Labor Day weekend
  • http://dragoncon.org/
  • No news show on the 29th, or the 5th of September
  • No feature cast on the 1st of September and possibly not on the 8th
  • If you are going to be at the con or are in the area, let me know

(02:47) Security alerts

(03:05) First Android SMSing trojan

  • http://www.computerweekly.com/Articles/2010/08/10/242321/android-phones-hit-by-text-based-trojan.htm
  • HT Glyn Moody.
  • According to ComputerWeekly SMS trojans are already common
  • The idea is the malware tricks a user into installing it
  • It then sends texts to premium rate numbers
  • The attackers collect the charges on those numbers
    • Profiting from the actions of the trojan
  • This past week, Kaspersky Labs identified the first such trojan
    • To affect Android based phones
  • The app in question is not in the market
    • A user would have to encounter it on a malicious web site
  • It claims to be a media player, a common tactic for trojans
  • Kaspersky Labs suggests that attacks like these will increase
  • Android has been growing at an accelerating rate
    • Recently surprising the iPhone by some sales metrics
  • It is pretty much common sense that larger targets are more likely to be attacked
  • Google is skeptical of the risk given the permission model of Android
  • On installing any app, the user is presented with what actions it will take
  • That includes making calls and sending text messages
  • A savvy user should doubt that a media player needs to call anyone or SMS
    • However the trojan may be spreading as a consequence of click fatigue
  • Even the most diligent users may get tired of constantly approving installations
  • This is a common phenomenon on Windows, even lampooned in Mac ads
  • Kaspersky, of course, says it is releasing a product
    • To protect against this threat
    • So the truth may be closer to Google's view
    • As they have less reason to inflate the threat
  • More reasonable advice is to point out that there is no reason for a legitimate site
    • To encode media in a format other than the ones already supported

(05:36) Vulnerability in OpenSSL 1.0.x

  • http://www.h-online.com/open/news/item/Vulnerability-in-OpenSSL-1-0-x-1053147.html
  • According to the H, this was uncovered by security expert Georgi Guninski
  • The vulnerability is exploitable by a server sending a malformed certificate to a client
  • Usually this would cause the client software to crash
    • But also apparently can be exploited to execute injected code
  • That makes it a pretty severe flaw
  • Guninski included a sample certificate to demonstrate the problem in his disclosure
  • The H tested the sample provided by only got a warning of an invalid certificate
  • The problem affects the 1.0 branch of OpenSSL
  • While that library is in very widespread usage
    • The version most commonly installed is 0.9.x
  • There isn't any word on a fix, yet
  • Given how few systems have 1.0 installed, there is time yet
  • The issue is being active discussed on the OpenSSL developer list
  • Odds are good this will be fixed well before the number of users makes it more critical
  • This is a good reminder that the impact of a flaw is only part of the risk
  • A critical break that isn't very common is often less concerning
    • Than a shallower exploit that is hit with considerable frequency
  • Most systems that do use OpenSSL do so through a managed software repository
  • Odds are good those few using the version
    • Will get a security fix promptly after it is developed and tested

(07:36) News

(07:49) Artificial life forms evolve basic memory, strategy

  • My interest in artificial life stems from my first reading of Waldrop's "Complexity"
  • http://www.amazon.com/gp/product/0671872346?ie=UTF8&tag=thecommandl0a-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0671872346
  • Framing emergent complexity in terms of like makes sense
  • It resonates with how life general tends towards more interesting states over time
  • Artificial life forms are also hackable
  • You can indirectly inspire changes through altering the environment
    • Or reach directly into their code to see what tweaks
    • Yield what changes, exploring the space of interesting outcomes
  • This fascination is actually pretty common among hackers
  • In Steven Levy's "Hackers", some of the early tinkerers at MIT
    • Are utterly fascinated with Tim Conway's Life
    • One of the first a-life systems capable of producing truly complex patterns
  • Eric Raymond has even recommended the form of a glider from Life
    • As a simple icon for hackers to bear as a signal of their interests
  • The glider pattern is one of the ones that can self replicate in Life's simple environment
  • http://tech.slashdot.org/story/10/08/08/0110222/Artificial-Life-Forms-Evolve-Basic-Memory-Strategy
  • I was instantly curious to learn more on seeing Slashdot's link
    • To a New Scientist article discussing the evolution of memory in an artificial life system
  • The article is behind a pay wall but if you search for its title
    • You can find the full text of the article
  • Or look for the August 4th issue on news stands
  • What the article covers is a set of related experiments at MSU
    • Using a-life to try to shed some light into how memory evolves
  • The system used, Avida, is an indirect descendant of the computer game, Core Wars
  • In that game, players wrote small programs that battled to the last survivor
  • The lineage of research systems inspired by the game
    • Added capabilities useful for analysis how simulations unfolded
  • A-life is a useful complement to studying biological systems
    • Because it can be replayed, tweaked and taken apart at its lowest level
  • What most of these projects found is that memory serves as a navigation aid
  • In one instance, the researcher set up an environment with a food gradient
  • At one end, the virtual food was scarce and in small quantities
  • Moving gradually to the other end of the space, food increased
  • Starting with the simplest organisms, they eventually developed the trick
    • Of remembering the food in the last space they occupied
    • As they moved across the virtual grid of cells
  • Memory then allowed for relative comparisons
    • Gauging whether food increased or decreased as the organism moved
  • It is not hard to see how even the simplest form of memory
    • Ultimately provided a huge evolutionary advantage
  • The article also discusses the overlap with artificial intelligence
    • Related efforts at MSU exploring evolved brains
    • Used to control actual robots
  • Traditionally, AI research has tried to model minds or sub-components of minds
    • In a more top down fashion, modeling off a working biological mind
  • The bottom up approach is already capable of building effective if minimal brains
  • The future of evolving brains approaching human complexity is promising
  • It makes more sense to me to encode simpler rules and encourage complexity
    • Than to drive backwards through an already complex system
    • Which would require understanding and building all the intermediate rules and systems
  • Robert Pennock of MSU will be presenting on some of the projects from MSU
    • At an annual a-life conference in Denmark
  • I encourage you to read the whole article, if you can find it
    • As the projects are quite diverse and there is more detail on each effort

(11:35) John Doe who challenged FBI spying freed from gag order

  • http://www.wired.com/threatlevel/2010/08/nsl-gag-order-lifted/
  • Kim Zetter at Wired explains the case of Nick Merrill
    • A security consultant and owner of a small ISP
  • On receiving a national security letter demanding customer records
    • He decided to fight the FBI in court on behalf of his customers
  • I already new that NSLs do not require a warrant
    • Thus failing to rise to the same standard of probable cause and judicial oversight
  • What I did not realize is they also come with a life-long gag order
  • As Zetter portrays very clearly in the article, Merrill couldn't discuss
    • Even with his closest acquaintances and family
    • The ordeal he was going through to challenge the letter
  • Violating the gag order can be punished with up to five years in jail
  • This secrecy increases the risk that the letters will be abused
  • Zetter points out that an audit by the justice department
    • Determined that such abuses were occurring with shocking frequency
  • Arguably, in talking to his attorney, Merrill could have been accused
    • Of violating the gag order accompanying his letter
  • I suspect, as Merrill himself avers, that the right to due process
    • Trumps the secrecy of these letters
  • A judge at the end of last month lifted the gag order
    • After the FBI let its push for information lapse
  • He isn't sharing everything about the case yet
  • What he does explain in the letter is troubling enough
  • Not surprisingly, the FBIs demand for information was overly broad
  • This is exactly the sort of abuse a judge is supposed to prevent
    • In their role issuing warrants
  • Law enforcers are not supposed to be able to troll for anything and everything
  • Ordinarily, they have to prove justification for violating a suspect's privacy
  • Merrill thankfully stood by his principles from start to finish
  • He is clearly sharing his story in hopes of inspiring others to do the same
  • As he shares more information, hopefully he will draw more attention
    • To the problems that arise from NSLs
  • The lifting of the gag order is only partial
    • And as the article points out
    • Getting that much was fraught with threats from the FBI
    • About harming national security
  • Merrill's case did help get Congressional amendment of the law
    • So that recipients have more of a right to challenge NSLs
  • At the same time, as I've mentioned on the blog
    • The Obama administration is seeking to expand the scope of NSLs
  • Merrill's role in tackling these letters continues
  • He has since started an educational organization, the Calyx Institute
    • To inform those in the telecoms and technology industry
    • On best practices for protecting customer privacy
  • This whole case highlights how the secrecy around the letters
    • Has a secondary effect which may or may not have been intentional
  • Now that Merrill is able to talk about some details
    • It will undoubtedly encourage more sharing and challenges
  • If the secrecy was allowed remain or even expand
    • It would chill the challenges that are critical to preserve our constitutional rights

(15:26) Touchscreens open to smudge attack

  • http://tech.slashdot.org/story/10/08/11/128244/Touchscreens-Open-To-Smudge-Attacks
  • If you have any kind of touch screen device
    • You are well familiar with how easily they smudge
  • Slashdot links to a PC Pro article discussing some research
    • That attempts to recover information from the pattern of residue left on screens
  • Work done at UPenn was presented at the Usenix security conference
  • It isn't surprising that they were successfully able to recover Android unlock patterns
  • Those phones require you swipe, connecting on screen dots in a particular way
  • That they were able to achieve a 92% success rate with just a camera and a computer
    • Is surprising for how few resources and how little effort it took for such a high rate
  • Wiping the screen only works if you really scrub it
  • They were able to recover latent prints after casual cleaning
    • Like a single swipe with a cleaning cloth
    • Or incidental cleaning from placing and removing devices from a pocket
  • The researchers think the technique could be applied to any touch screens
  • That would include pin recovery or even electronic voting
  • I am inferring there is a limit to the complexity of the recovered data
  • All of the examples are short sequences of touches or swipes
  • If a screen is used too heavily, I suspect anything useful
    • Gets lost in the increasing overlay of smudges
  • The recommendation to use an alpha numeric password
    • Like the new option in Android 2.2
    • Seems to bear out my inference
  • Future work will look at other physical aspects of touch screens
    • In particular, the article mentions thermal traces
  • Imaging latent heat would seem to be more resistant to loss
    • As the most recent use of a screen would be the clearest
  • Of course, the traces are far less durable than skin oil
    • So its a different trade off in terms of the feasibility of the attack
  • The researchers question the wisdom of entering sensitive data
    • Using input devices were evidence is so readily apparent
  • The seeming resistance of soft keyboards suggests alternatives
  • Varying the placement of keys for sensitive data randomly
    • Would make after the fact recovery from smudges or heat much harder
  • All the same, it reminds us that such significant shifts in technology
    • Expose latent ambiguities and new risks that weren't apparent with the old
  • I am glad this research was shared relatively early in the popularity of these devices
  • There are tons of touch screen smart phones out there but the growth rate is incredibly
  • Early adopters are also accustomed to regular software updates
  • It seems like a good time to consider these findings and beef up security accordingly

(18:40) The future of 3D printing

  • http://www.adafruit.com/blog/2010/08/09/scott-summit-on-the-future-of-3d-printing/
  • Ken, a reader and listener, shared a link to this video
  • It is a presentation by industrial designer Scott Summit
    • Given at the Singularity University on the topic of 3D printing
  • The video is hosted by Adafruit Industries, an innovative company in the DIY space
  • He lays out traditional manufacturing
    • Both its advantages in terms of support innovation
    • And its limitations, that customization is so much harder
  • In other words, it doesn't mesh well when there is a greater need
    • To match a produced good with an individual's need
  • The example he uses is a limb prosthetic
  • His answer was to combine 3D scanning, parametric modeling, and 3D printing
  • He gives a good explanation of what each of these is
    • And how they complement and fit together
  • He explains both the really high end approaches, like he uses
    • And the more DIY approach, cobbling together commodity parts
    • With interesting, powerfully and cheap or free software
  • What is surprising, at least for scanning and modeling
    • Is that physical scale is less of a limit than you would think
  • Buildings and even cities are being scanned
  • He gives an equally accessible explanation of parametric modeling
  • Mostly it is driven by the need to scale complex changes
  • Tweaking a single parameter actually affects a complex of interrelated elements
  • As he says, it pushes the hard work on the computer
    • Rather than the designer building or changing one off models
  • I hadn't really thought about the impacts of modeling
  • He explains how a non-expert user can leverage the computer
    • To alter designs, to do customization on demand
    • To meet highly individualized or context based needs
  • The material production is just a consequence of that lower cost of design
  • Customization becomes free, the new design approach eliminates the difference
    • Between a stock version of an object and a highly tricked out one, like a car
  • It lowers the cost of complexity, whatever the source
    • Not just arising from building custom objects
    • But pushing the envelope on sophisticated designs just for its own sake
  • He gives examples of design that no other technique could produce
  • I like that he discusses both utility, like architecture, as well as art
  • Summit ties imagination to design and instantiation
  • Another aspect he explores is the set of new behaviors*
    • Specifically creating a marketplace for 3D print on demand
  • Even before we can each have our own desktop 3D printers
    • There are effective ways to share access to the lowering cost
      • Of producing tangible goods with these technologies
  • The video is almost a full hour but well worth the watch
  • His presentation is filled with examples for all his different points
  • The latter half of the presentation is dedicated to two case studies
    • Where he goes more in depth on a couple of his projects
    • That use 3D scanning, modeling and printing

(23:07) Following Up

(23:25) Google, Verizon announce proposal for neutrality policy

  • http://googlepublicpolicy.blogspot.com/2010/08/joint-policy-proposal-for-open-internet.html
  • This past week, Google announced a policy framework for network neutrality
    • That they have been working on with Verizon
  • As the public policy blog post explains, they see this as a continuation
    • Of collaborative work and discussions with Verizon on the issue
  • That includes a joint statement on principles last year
    • And jointly filing comments to the FCC notice of inquiry earlier this year
  • They pretty clearly identify the two main elements of the discussion
  • On the one hand, preserving choice and openness that enables innovation
  • On the other ensuring this is sufficient opportunity to realize enough value
    • To fuel the growth of broadband infrastructure and access to it
  • The proposed framework is laid out in two pages, is surprisingly concise
  • It can be laid out along seven key elements, that are listed in the blog post
    • Consumer protections
    • Non-discrimination requirement
    • Transparency
    • Network management
    • Additional online services
    • Wireless broadband
    • Case-by-case enforcement
    • Regulatory authority
    • Broadband access for Americans
  • Overall, my impression is this is largely a non-statement
  • It is up to the FCC to do anything with this
  • It is unlikely that Verizon or Google will act on this without some buy-in
  • So as they say, it really is just a move to advance the debate
  • The problem is that it simply doesn't
  • It is riddled with loopholes and weak solutions
  • The recommended role for the FCC is incredibly constrained
  • The additional online services is essentially a way for an ISP
    • To classify any offering as such and bypass any of the rest of the obligations
  • It even carries forward the reasonable network management idea
    • One that is so vague as to be meaningless
  • It makes noises about recognized standards and shared governance principles
    • But there aren't really any and there is no incentive for their development
  • Once again it is a label that can be slapped on borderline behavior as an excuse
  • Even the suggested transparency doesn't go far enough
  • It would add a Shumer box to services but not require any hard operational data
  • We have supposed information like this now on consumer packages
    • But they are often meaningless because they assume burst speeds
    • Or other ideal capacity without any practical data on how packages really perform
  • Worst of all is that wireless is effectively exempt
    • The reasoning being that it is too early days
  • That is utter bunk as we've seen the same issues arise regardless of carrying capacity
    • Or the low level differences in the actual medium
  • http://googlepublicpolicy.blogspot.com/2010/08/google-and-verizon-op-ed-path-to-open.html
  • There is an op-ed in the Washington Post further explaining the proposal
  • It doesn't add much beyond the proposal itself or even the summary blog post
  • http://www.eff.org/deeplinks/2010/08/google-verizon-netneutrality
  • There is a load of analysis of the proposal already
  • Not surprisingly I am going to recommend the one from the EFF
  • By and large Cindy Cohn agrees with some of the troubling aspects I see
  • She is a bit more charitable on some points, like limiting FCC authority
    • And certain possibilities that might arise from standards bodies
  • http://googlepublicpolicy.blogspot.com/2010/08/facts-about-our-network-neutrality.html
  • Google has a content-free response to a lot of the early criticism
  • Speaking more charitably, they could fully believe this proposal is sound
  • What it does is highlight how hard it is to agree on most aspects of neutrality
  • They haven't done more than issue a statement on what they think would work
  • Lots of people have comparable or conflicting views on what would work
  • Maybe they think a framework, stronger than a statement
    • Might lighten the load of regulation
    • The same sort of self regulation practice that has worked elsewhere
  • I doubt that until we can get to some agreement on core principles
    • Like what really is reasonable network management in concrete and auditable terms
    • Then we are just chasing our tails on this issue

(29:22) Outro

Personal tools