Stuffis
Welcome to Brent's pile o' stuff. More for my use than yours, so
why organize?
This is cool: In Google Maps
you can now customize your route. So here's
the path I use if I bike to work.
Four stories on why iPhone third-party apps matter, from a long-time Treo user
I have the Treo 650 just got a Treo 755p which meets my needs admirably; the above article sums up nicely why platform openness matters to me.
But I'm also among those who
"have watched with frustration as [Palm] stopped innovating and was passed by"
and are eager to see Palm be a leader again.
Security
DRM
Voting
Jon Stokes at Ars Technica has written an article entitled "How To Steal an Election". The PDF file is available here. (It's copyrighted, but permission is granted to distribute it if you link to the original article and PDF, as I've done here.) The rush to implement touchscreen voting with no paper trail as a backup is extremely worrisome; how long before we have a successful fraud that tips the balance of an election?
Web
- NEW Current research on breaking CAPTCHA: Preventing segmentation (breaking the CAPTCHA word up into individual characters) is very important to making it resist attacks (apparently OCR'ing individual letters, however distorted, is not too hard). Microsoft's CAPTCHA algorithm apparently allows segmentation too easily.
- NEW Great article on current state-of-the-art in CAPTCHA technology — Google's fared best but even theirs has been broken now — Schneier points to a "group [that] is the best out there at defeating CAPTCHAs" (check out their own pretty 3D CAPTCHA)
- Article on The problem(s) with OpenID
- Insidious automated ARP cache poisoning/HTML injection attack: a machine sits on the network, and poisons the ARP cache for clients on that network to make them think its NIC is the default gateway; acting as a man-in-the-middle, it rewrites HTTP sessions to insert a hostile 0-size <iframe>; client web surfing to any site can now include code for anything the browser is vulnerable to
- Dan Kaminsky continues to astound; his work in 2007 includes circumventing the browser's trust model using a combination of DNS entries, a custom TCP/IP stack written in Flash, etc. — now you have a "beachhead" behind the firewall/within the intranet to send whatever exploits you want
- "Inter-protocol Exploitation" technique: (1) Establish a control channel between a browser's JavaScript engine and an outside controller, so that JS commands can be passed to it, and then (2) have the JavaScript engine assemble protocol frames to attempt exploits from within the network; optionally (3) combine with XSS for an even more dangerous combination
- "Drive-By Pharming" (or Cross-Site Request Forgery, CSRF): JavaScript on a web page that attempts to log into routers and other local network devices using default passwords, and then alters DNS settings to point to a poisoned DNS server
- Applying "fuzzing" techniques to browsers: Michal Zalewsky (2004), HD Moore (Metasploit, 2006) — Month of Browser Bugs
- Why Phishing Works ("To summarize the summary of the summary: people are a problem." — Douglas Adams)
Mac OS X
VoIP
It turns out that even though most VoIP streams are encrypted, the ones
that use variable bit-rate (VBR) compression are
vulnerable to analysis.
Mobile
Small is beautiful:
UK mobile application developer Masabi
has launched EncryptME,
a Java ME security component with officially validated implementations
of 4096-bit RSA and 256-bit AES... in only 3K! "Using a single
SMS message, or a few bytes of GPRS data, EncryptME can set up a
secure session and sign up a new user, a new credit card, and make
a transaction." Nicely done.
Hardware
Social-networking site malware (Jul. 2006)
Windows: The WMF vulnerability (Dec. 2005)
XSS: The "Samy is my hero" MySpace Ajax worm (Oct. 2005)
Security at Microsoft
- EEye has a list of Upcoming Advisories where it tracks as-of-yet unfixed vulnerabilities in Microsoft products
- Secunia also keeps a log of unpatched IE 6 flaws
- Nice interview with Dan Kaminsky (Doxpara) about Microsoft and security
- Brian Krebs at the Washington Post did an analysis of
how long it takes Microsoft to release patches for "critical" vulnerabilities
and the results are interesting. In cases where there's no full disclosure, despite their "Trustworthy Computing" initiative, their time to release "critical" patches has actually risen to an average of 134.5 days (over 4 months). Microsoft steadfastly maintains that the reason for this long time is testing — quality control of the patch to ensure the public trusts Microsoft patches and is willing to install them (which I think is telling in itself). But when there's full disclosure and publication of a working exploit, he says:
one area where Microsoft appears to be fixing problems more quickly is when the company learns of security holes in its products at the same time as everyone else. Advocates of this controversial "full disclosure" approach believe companies tend to fix security flaws more quickly when their dirty laundry is aired for all the world to see [...] In cases where Microsoft learned of a flaw in its products through full disclosure, the company has indeed gotten speedier. In 2003, it took an average of 71 days to release a fix for one of these flaws. In 2004 that time frame decreased to 55 days, and in 2005 shrank further to 46 days.
- "[Dan] Geer's graph shows that Microsoft increased its time-to-patch gap by a little more than one day per month from the start of 2003 to the end of 2005."
Sanitizing MS Word documents (removing hidden data)
Research reveals that even "sanitized" anonymous data is easy to correlate to real people. "Using public anonymous data from the 1990 census [...] 87 percent of the population in the United States [...] could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth." "It turns out that date of birth, which (unlike birthday month and day alone) sorts people into thousands of different buckets, is incredibly valuable in disambiguating people."
As copiers and fax machines get "smarter" we have to start treating them like servers that must be secured and like storage units that must be purged.
An insightful SecurityFocus article from Robert Lemos on
the challenge of defending against zero-day attacks
if your organization uses the traditional patch-cycle approach.
Interesting editorial on
embedded device security.
Good description of, and summary of research into,
practical MD5 collisions.
Schneier
writes
about "identity theft" which he points out is a misnomer (identity is not
"stolen"; the issue is fraudulent use of identification info.). There
are two parts to these crimes: obtaining private data that can be used
to impersonate, and using that data to conduct fraudulent transactions.
Solutions that only focus on the first are insufficient.
IBM's
rebuttal (PDF)
to criticisms about TCPA. In short: TCPA might be used with Palladium
and/or DRM, but those are separate elements requiring separate critique.
TCPA is basically a "smart card built into the computer" and with ties
to the BIOS. Cf. also the classic
Ross Anderson FAQ on TCPA.
HD Moore (Metasploit) points out that in the current climate,
"There is no way to report a vulnerability safely"
(Robert Lemos article). This is a bad trend. Security researchers
(including students) who act responsibly in good faith should be
rewarded for reporting vulnerabilities, not prosecuted for it! Pascal
Meunier at Purdue (CERIAS) describes
his recent experience
with this problem.
Pinch My Ride (Wired):
Insurance companies often believe modern auto "passive antitheft
systems" are infalliable, and deny theft claims since the car is
"impossible" to steal. Worse: Some Honda models apparently have a back
door (pulling the emergency brake, of all things) coded to your VIN.
Spam, Viruses, Malware
SRI's new Malware Threat Center has stats.
New virus Kraken which uses dynamic DNS; not only can that redirect to new IPs when the old ones are shut down, but Kraken has an algorithm for switching to a new dynamic DNS hostname when the old one is shut down.
Washington Post article showing how the amount of malware is skyrocketing (look at that graph!) and AV vendors are struggling just to keep up; what a way to run a railroad.
Latest trends: Viruses that creates a free webmail account to send spam through it (apparently circumventing their CAPTCHA?), and conversely, viruses that use CAPTCHA-like distortion in attachments to prevent their email from being detected as spam. (Speaking of CAPTCHA, see elsewhere on this page for a cool article.)
Since new vulnerabilities are always coming along, 0wned computers
may get swiped by a new 0wner at any time. "The bot network industry
has become so profitable, and hijacked computers so valuable, that
rival gangs are now fighting over them."
Some of the worms in the last few years, notably
Witty
(CAIDA analysis)
and
SQL Slammer (Sapphire)
(CAIDA analysis),
have been amazingly elegant: small (fit in one packet) and quick to
saturate their targets
("flash worms").
Scary stuff. See
The 10 Most Destructive PC Viruses Of All Time.
The latest malware is stealthier and more resilient:
- Dec 2007: Article on Storm and Nugache (via the Schneier on Security blog): Storm uses P2P to hide its command-and-control (C&C) server, and fast-flux (DNS) to change the C&C server; Nugache doesn't use DNS at all, and encrypts the C&C channel — the trend is away from IRC and toward custom C&C channels (SecurityFocus article, IronPort "malware trends" article)
- Jul 2007: Honeynet analysis of the fast-flux (DNS) method that recent malware like Storm is using
- Mar 2007: Gozi trojan horse, which went undetected for over a month; harvested user names and passwords, so the authors could put those up for sale
- Feb 2007: The authors of Storm Worm
(actually a trojan horse) chose peer-to-peer protocols to avoid control chokepoints,
and are adapting the "hook" over time: storms in Europe, greeting cards, Microsoft updates, racy pictures and
club memberships and
YouTube videos and
Blogger posts and
Christmas/New Year's/Valentine's Day greetings and ... (stay tuned). Security Fix puts the number of Storm-infected machines in the hundreds of thousands; Microsoft's MSRT scrubbed Storm from 250,000+ machines in Sept 2007 (SRI CSL in-depth paper)
(SecureWorks analysis by Joe Stewart)
(summary of functionality by Bruce Schneier)
- Raising the Bar: Rustock.A and Advances in Rootkits
- Hiding the Unseen (Mailbox.AZ a.k.a. Rustock.A)
Excellent set of articles describing the history of the spam arms race, and
in particular how viruses (beginning with Sobig) have added a new dimension.
Another article with a history of recent worms and viruses (author's
perspective is that legal punishment is too rare and light):
The sender-pays method of preventing UCE, back in 1933:
10 cents to ring my doorbell
(via Bruce Schneier's blog)
[I don't believe sender-pays is a workable solution for spam, by the way]
IPv6
Alternative Energy
- NEW Micro Wind Generation
- NEW Grass Makes Better Ethanol than Corn Does: "This means that switchgrass ethanol delivers 540 percent of the energy used to produce it, compared with just roughly 25 percent more energy returned by corn-based ethanol according to the most optimistic studies."
- Google.org's RE<C (Renewable Energy Cheaper than Coal) and RechargeIT (plug-in vehicles) initiatives
Mapping
- NEW Mailbox Map: find a blue USPS mailbox near you, and see the pickup time — great example of a useful mashup
- Maps of War: visual history of Middle East empires in 90 seconds
- Worldmapper: maps where territories are resized to show the relative weight of population, immigration, etc. (fascinating)
- CommonCensus Map Project (influence of cities on the surrounding country)
Fun Stuff
- NEW Boston Dynamics' BigDog robot
- NEW Tower Bloxx: build your own (teeterin') city!
- If Star Wars had come out two decades earlier (and Saul Bass had done the credits...)
- Squirrel Obstacle Course
- Human Tetris (Japan game show)
- Cat Alarm Clock
- Bloxorz
- They're Taking The Hobbits to Isengard! (I think the cheezy Casio music is the funniest part — well, that and the look on "Stareagorn's" face)
- Real-life Space Invaders
- Singing Tesla Coil
- Circlo
- Tim Fort's Kinetic Art (not your father's dominoes); worth watching all the way through
- Castle Smasher (catapult)
- Line Rider
- Merry Christmas
- Goggles: The Google Maps flight-sim
- Can you exercise both hemispheres of your brain at once? (Flash; click "JOUER" (play) to start the "JEU" (game))
- Amazing 3D chalk drawings
- The mouse pointer game (Flash)
- Rubik's cube: two-handed in 10.48 sec or one-handed (!) in 20.09 sec or while lip-syncing; also proving the maximum moves required to solve any cube (currently 26)
- Optical Illusion: Big Spanish Castle
- Lemmings (original)
- Bilbana (race cars)
- Goldburger to go (Rube Goldberg game)
- Homemade
- Websites as graphs, one of the coolest visualizations I've seen in a while
- The case of the 500-mile email
- Katapult
- Animator vs Animation and Animator vs Animation 2
-
NEW giraffe,
chase me (Hexstatic's "Master-View" album is cool),
clive the frog,
kenya,
hos,
badgers,
footy,
badgerphone
- Amateur (very clever) — Lasse Gjertsen — who had previously done Hyperactive, and a Flash version so you can try yourself
- Quartet on one instrument (a viola de gamba)
- Guitar, a la hammered dulcimer (simply amazing)
- Rad Monkey electric cowbells (they have a pickup)
- Top 10 Most Curious States of Equilibrium
- Drum Machine
- Stomp
- Yeti Sports - Yeti-Penguin baseball, Orca Slap, etc.
- Throw Paper
- Benford's Law: in a set of multi-digit numbers, numbers with "1" as the first digit occur more frequently — can be used as a way to detect fraud
- craymachine
- Warthog Launch - 40 levels
- Poke the Penguin
- sodaconstructor
- Credit Card Prank and
Credit Card Prank II
- Virtools
- LEGO logic gates
- Guide to Roguelike Games and
BALROG
- Animated Engines
- Google Image Labeler, the ESP Game, and Human-Computer Symbiosis
Coding
Astronomy/Astrodynamics/Space
- Interesting civilian spaceflight initiatives:
- Google Lunar X-Prize, $20M to the first team that can land a rover on the moon
- Armadillo Aerospace (John Carmack), "working on computer-controlled LOX/ethanol rocket vehicles, with an eye towards manned suborbital vehicle development in the coming years" including the X-Prize Cup
- SpaceX, developing the 2-stage Falcon 1 rocket which first successfully launched from Kwajalein March 20, 2007; ultimate goal is deployment of payloads (satellites), and actually some of the Google Lunar X-Prize entrants may go up on Falcon rockets
- Scaled Composites (Burt Rutan), whose SpaceShipOne won the original X Prize for the first private manned spacecraft to reach space twice in two weeks ... they are working on SpaceShipTwo, a commercial version designed to take passengers into space ... sadly they suffered a fatal accident during a test in the Mojave Desert
- How far are the stars?
- Celestia: great FOSS space simulation software
- Stellarium: FOSS planetarium software
- The Antikythera Mechanism: "amazingly accurate" 2nd Century BC metal astronomical calculator made by the Greeks
- GPS demonstrates Einstein's Theories of Relativity
- Good explanation of LaGrange points(L1 through L5)
- Scale Model of the Solar System in Maine
- Another way to visualize it: The Size Of Our World
- Constellations and Stars
- Astronomers have decided to make the definition of "planet" less inclusive and exclude Pluto (now considered a "dwarf planet"); I wholeheartedly agree. Poor Pluto! Interestingly though it does have three moons (Charon, Nix, Hydra)
- Astronomers were previously thinking about making the definition of "planet" more inclusive
- The proposal would have included 3 dwarf planets (Ceres (asteroid—discovered in 1801 and considered a planet at that time), Charon (Pluto's moon), and Eris (2003 UB313—Kuiper-belt)) as "planets" — so we'd have had 12 "planets" total
- Apparently the proposed definition had to do with whether the object (a) "has sufficient mass for its self-gravity to overcome rigid body forces so that it assumes a hydrostatic equilibrium (nearly round) shape" and (b) orbits a star but isn't a satellite of another planet
- But: Pluto's moon Charon would qualify because, since the center of mass of the two-body system is outside Pluto, technically they are a "double planet"
- 581 c, a new Earth-like planet found orbiting Gliese 581 (20.5 light-years away) in the Libra constellation
- Two largest asteroid-belt objects: Ceres (dwarf planet), Vesta
- Trans-Neptunian objects (Kuiper belt, Scattered disk, Oort cloud)
- Eris (2003 UB313 — formerly "Xena"/"Lila"): Kuiper-belt dwarf planet, bigger than Pluto
- CNN article
- Good write-up by CalTech's Mike Brown (whose team discovered it) — it also has a moon, Dysnomia
- This makes the largest 4 Kuiper-belt objects Eris (w/moon), Pluto (w/moon), 2005 FY9, and 2003 EL61 (w/moon)
- Quaoar is another, smaller Kuiper-belt object
- Sedna (2003 VB12) — most distant object (more precisely: object with greatest average orbital distance) known in our solar system (Oort-cloud)
- 3753 Cruithne, 2003 YN17, and other quasi-moons of Earth
- Bode's Law (Titius-Bode Law), an easy way to remember the major planets' distances from Sol — holds true except Neptune
- Newton's Principia
- Solar Activity
- Solar Activity and Aurora Borealis
- Solar Activity
Hardware
Yet another reason why I love AMD's HyperTransport. AMD really shines in 4-way and larger configurations (NUMA).
My TINI site.
Fiscal Responsibility
Wireless
Broadband
Broadband Performance Testing - at home I'm getting 880Kbps on my 1.5Mbps DSL from VISI.com
Oh, and if you're in the market for a hosting provider,
RealMetrics provides some
very useful statistics
to help you sort the providers out. A friend of mine highly recommends
1&1 Internet which he uses to host
a lot of his clients.
Language
Sometimes Google doesn't help when all you have to go on is a phonetic exchange. From That Thing You Do: Guy: "If Jimmy's a genius then I'm [oo tahnt]." TBP: "Who's [oo tahnt]?" Guy: "He's the sec- Forget it." Try Googling "Oo Tant" or "Ou Tante" etc. and you'll get lots of pages talking about TTYD, but nothing else. Turns out the reference is to U Thant, the 3rd Secretary-General of the United Nations, 1961-1971, from Burma (now Myanmar). "'U' is an honorific in Burmese, roughly equal to 'Mister'." — Wikipedia
Language Links
- Ambigrams Ambigrams: words that can be read in more than one way or from more than a single vantage point
- Confusing Words
- grimblepritz and blurfldyick: nonsense words used in the Perl "Configure" script and autoconf, when checking how grep behaves on some platforms
- aargh, hmmm, and ahhhhhh
- Baby Name History
- Survey of "Pop" vs. "Soda", or this one
- Speech Accent Archive
- The Bad English League: Interesting site that shows how many web pages use an improper word/phrase compared with the proper one they should use. My contributions:
- "a whole nother" vs. "another whole" (one I've been training myself out of) - currently at #4. I can understand people speaking this one, but I'm amazed someone would type "nother".
- "should of" vs. "should've" - currently at #9. I realized the other day that it's hearing the "'ve" contraction that makes people learn "of". See also the "could" and "would" variations on this.
- Also try "alot" vs. "a lot".
- Omniglot: a guide to writing systems
Media
Science
Philosophy of the Internet
Mac OS X
Never in a million years would I have imagined myself a Mac user. But
Mac OS X has changed all that, and it's now my
primary desktop. For a long-time Unix/FreeBSD/Linux user it has everything I want: a
mature and stable
Unix operating system and the
open source software I could not do without
(security
software;
mail routers,
servers,
tools, and
agents;
languages;
web
platforms;
directory), with
a beautiful graphical environment,
multimedia viewers, and
productivity software that are to be had only with great difficulty on Linux, if at all. And then there are the
stunning extra goodies.
Web Standards
Safari 1.3.1/2.0 bug with CSS borders.
Reactions to IE7 beta 1 (from the standards perspective) from Dave Shea (precious little improvement) and Molly Holzschlag (plea for patience). That's supposed to be a smiley-face, where IE7 beta 1 runs the Acid2 browser test. Microsoft response detailing plans for IE7 beta 2. Chris has said that MS' highest goal isn't to pass Acid2, it's to work first on what they perceive the most important CSS issues are.
The conversation between WaSP and MS continues... the issue is that web developers who care about standards have been forced over the years to use "hacks" to distinguish browsers and emit standards-compliant code that works for that browser (working around bugs, non-standard behavior, etc.). Starting with IE7, the IE team strongly recommends that instead of "hacks", developers use the MS-developed "conditional comments", which Dave Shea comments on, but note that since conditional comments aren't XML, they cause trouble with XSL/XSLT. Sigh.
Dave Shea seems much happier with the latest IE7 preview, in how far they've come in addressing CSS and rendering standards problems.
David Hammond publishes the site Web Devout which tries to put some objective "percent compliant" numbers to modern browsers. He and Chris Wilson traded comments on Chris' blog related to this site; sounds like the IE beta feedback channel hasn't produced the kind of results David and others were hoping for. (I like the idea of having the community "weight" the line items on that site for importance.)
Support for standards in IE/Firefox/Opera:
Tim Berners-Lee says New Top Level Domains Considered Harmful. Good thoughts on why .mobi is a bad idea: breaks device independence of the web and URIs specifically.
An interesting article on
the way to use XHTML properly.
A little dismissive ("what's the point?") of people like me who
validate their pages but send them as MIME type text/html so they
can still be read by most UAs. Still, it gives some clarity to what
the issues are. There's an
XHTML 2.0 FAQ which
also talks about this issue, and shows a trick to get IE to accept
XHTML sent as XML, and has other good information. More about XML
"encoding" vs. Content-Type "charset" in the melodramatically-titled
XML on the Web Has Failed.
See
The non-world non-wide non-web and
State of the WHAT
for a snapshot of the W3C WHAT-WG today and their answer to XAML, and see
questions of W3C relevancy.
An article at ZDNet gives more background on XForms (W3C, enterprise vendors, needs plugins), XAML (Microsoft, Longhorn+Avalon), and Web Forms 2.0 (browser mfg. e.g. Mozilla/Apple/Opera, works with today's JS).
This site is slowly crawling its way toward
a design (cf. A List Apart)
that complies with
web standards and is
viewable with any browser,
and uses
CSS (amazing site).
Here is
a great essay explaining why. It will probably use the "Websafe Palette" that
Webmonkey
alluded to
(the "Reallysafe Palette" is a bit extreme).
Oh, and here's a
Webtechniques
article
on designing to accommodate color-blindness. See also Webmonkey.
(web standards advocacy)
Memes
"The contact lens of Sauron" — apparently this gag was done
on a "Family Guy" episode. I first heard the joke when reading these
two comments on this Schneier Blog page on border security:
So, will Boeing's "Eye O' Sauron" system designed for the Mexican border fail for the same reasons? — Sean
@Sean:
No... as long as he's got his contact lens in, we're okay.
— Anonymous
"Thanks, but snow thanks" (which as of today, 15 April 2008, doesn't
come up in Google when using quotation marks). This sums up my feelings
about further frozen precipitation this year.
Brent and Genealogy
My
brief autobiography
such as it is, and
our family tree,
and a somewhat out-of-date
list of genealogical links.
My contact information
