tokyo, sake

SSD hard drives

The prices of solid state hard drives (SSD) are still quite high but some people are starting to see real value in migrating to them. For example, in a recent blog post, Joel Sploky writes:

I did a little bit of benchmarking... don’t take these numbers too seriously since I didn’t run many tests and it’s hard to get everything right. Boot time dropped from 2:11 to 0:34. That’s from a cold boot to launching Firefox and navigating to Launching 6 major applications went from about 20 seconds to about 10 seconds. In general, the fact that app launching is so much faster makes a huge difference and it was totally worth it. This little laptop is now the fastest computer I’ve ever used.
But... compile time. Hmm. That wasn’t much better. I got it down from 30 seconds to ... 30 seconds.

Our compiler is single threaded, and, I guess, a lot more CPU-bound than IO bound. Oh well. We’ll still probably upgrade all the developer’s desktops with SSD drives, because making everything else snappy will make their lives better, but we may still be forced to spend some time making the compiler do its work in parallel.

I wonder how long I can hold out.

tokyo, sake

there's whitelisting, and then there's whitelisting

I'm a fan of Robert Vamosi's podcast on Cnet. Recently he had two shows that caught my attention.

First, he talked to Tom Murphy, chief strategy officer for Bit9 about whitelisting. Link

He also talked to Eva Chen, co-founder and CEO of Trend Micro about anti-virus protection. Link

Ms. Chen said that historically Trend Micro has seen the addition of 1,000 - 2,000 new virus strains in the wild each year. She also said that the numbers were exploding, and that they saw 5.5 million new unique virus samples in the wild in 2007. It's been clear for some time that blacklisting the "bad" apps was a losing battle. These new figures (new to me at least) really underscore that point. There are more illegitimate apps than legitimate apps.

Whitelisting, as Mr. Murphy describes it, allows you to define a set of applications or vendors and to mark them as trusted. Only specifically trusted apps, or apps from specific companies, can execute. Any app that is not on this white list is not able to run.

That technique will help in some cases to be sure, but what about the times when those apps themselves are tricked into performing malicious tasks for the attacker? The "trusted" app is running, but you've still been p0wned. Is there a cure for that problem?

Systems like SELinux attempt to solve this problem by not just whitelisting apps, but application behavior. (And it's built into Fedora and RHEL, naturally.)

Dan Walsh has some thought on how SELinux might be applied to something like Google's Chrome browser. He also includes some links to other posts on this same topic.

In one of those posts, Joshua Brindle writes:
Even if I have some sort of browser or plugin exploit going on it won’t matter, only data can be sent to the appropriate place (this is the beauty of mandatory access control, even a broken application can’t do anything bad).

This is a really important point: even "trusted" apps can be made to go bad, and you still need to find a way to be safe.  I'll be interested to see how systems like Firefox and Chrome adapt to these kinds of controls over application behavior.

tokyo, sake

No UDP for you!

Dear Lazyweb,

Since Monday morning I have been unable to use UDP-based IPSec to access a corporate network via my Comcastic ISP. The TCP-based version works fine. Only UDP is broken. And it started on Monday.

Are other Comcast customers running into the same problem?
tokyo, sake

Podcast sort order

Dear Lazyweb,

I listen to podcasts.  I like to listen to them in the order in which they are released. I am able to accomplish this goal on iTunes, but not on my iPod or iPhone.  On those devices the sorting order is reversed. See the yellow area.

How do I invert that order so I can listen to the podcasts in the correct order?  And while driving, meaning without having to touch the device.

Some people on the intertubes suggest that you set up a smart playlist, set the sort order in the iTunes UI, and then select the "copy to play order" of that smartlist.  But that's even worse:

All the podcasts are sorted together, by release date (and mis-labeled as "Songs"). The CNet entries are no longer grouped together.  I cannot see which items I've already listened to, can't see the release date, and so on.

This solution is completely unacceptable.

So, dear friends, how do I listen to all my podcasts, grouped by show, in the release order, on my iPhone?  Where is the UI that magically does what I want that I've simply been too blind to see?
tokyo, sake

SSL session cookies vulnerable (SSL everywhere!)

Elinor Mills' CNET's post titled Google making SSL changes, other sites quiet is interesting not just because it's about session cookies at some sites being vulnerable to MITM attacks, but also because it brings up a topic I've been talking about for years: Using SSL for all connections, not just for login. (See here, and here, among others)

She quotes Mike Perry:
"Just about everyone but Google simply does not want to spend the money to invest in the security of their users, and will continue to ignore this issue, just as they have for the past year," Perry wrote in an e-mail.
Mike is being generous. Companies have been ignoring this class of issue for the past decade. In 2008 web sites that deal in money or personal information (like email) need to secure 100% of all connections, 100% of the time. It is not enough to secure just the login pages.

And as for cost? It's not really about buying new machines anymore. (See my posts, linked above) SSL has been more than fast enough for years. It's really just a matter of inertia.
tokyo, sake

Counterintelligence at the USDA?

I just read the Department of Homeland Security's "Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities". Bottom line, they recommend you leave your electronics at home when you travel.

I decided to search for some of the terms in the paper. The site that caught my eye was that of the United States Department of Agriculture (USDA). The USDA travel pages are really fun to read. They include sections with great titles, such as:
  • You Are the Target
  • Country-Specific Threat Updates
  • Avoiding/Recognizing Intelligence Interest
  • Bugging Hotel Rooms
In all fairness, the USDA credits the Overseas Security Advisory Council (OSAC) for much of their information, lest you think foreign spies were only out to get information on US tomato technology.
tokyo, sake

"reasonable security measures" for data security

Increasingly the law cannot keep up with specific technologies, and instead relies on phrases like "reasonable security measures". But what does that phrase mean?

Here's an example. The Newfoundland and Labrador Office of the Information and Privacy Commissioner issued a report (P-2008-002) on the theft of some laptops. It has some interesting analysis, such as:
The Commissioner noted that section 36 of the ATIPPA required public bodies to make “reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.” ESD failed to provide such reasonable security measures and this led to the unauthorized disclosure of personal information, contrary to section 39 of the ATIPPA.
Paragraph 34 contains this passage on how they worked to define "reasonable":
To determine whether ESD took “reasonable security measures” to protect personal information, I will consider the following factors:
1. The foreseeability of the privacy breach
2. The seriousness of potential harm (discussed above)
3. The cost of preventative measures
4. Relevant standards of practice
And paragraph 62 contains:
As a multi-layered approach to information security is the current industry standard, I am also of the opinion that this approach is necessary for compliance with section 36 of the ATIPPA. At the time of the breach, ESD was not using this approach. Some useful physical safeguards were in place, but administrative and technological safeguards were obviously lacking. While directives and policies alone would not have prevented this breach, they are nonetheless an important feature in safeguarding personal information. In another case, policies and directives may be the difference between a breach occurring or not. In this situation, however, appropriate technological measures may have prevented the breach. Use of network passwords alone to protect personal information does not constitute a “reasonable security measure” as mandated by section 36 of the ATIPPA. This lack of adequate technological safeguards led to unauthorized disclosure of personal information, contrary to section 39
(Emphasis added)

Some more analysis can be found here:

It also contains some analysis of another incident in the UK. Steptoe writes:
While these specific actions are limited to government agencies, they reinforce the growing trend in the UK -- as well as the United States and around the world -- to regard encryption as a necessary component of data security.
tokyo, sake

Facebook privacy

For all the talk of privacy concerns in the industry, here's an example of what's still quite wrong. (Click the image to embiggen it)

Facebook: You need to bleed off all of my personal information so I can listen to a song? Really? Cnet needs to know who my friends are so someone can sell me something? Really?

I can understand Cnet wanting to know my age, gender, and zipcode for something like this. Maybe. So why can't I set that somewhere, like on that page? What right does Cnet have to all that other information? What will they do with it? Today? In 5 years?

The bottom line is: Why isn't Facebook trying to help me more than it helps CNet? I'm reminded of the brilliant rant by Al Pacino from Glengarry Glen Ross about how your job is to help us. Not to, um, hinder us up. Or something like that.

Maybe I should read the Facebook Platform User Terms of Service mentioned in the URL above:

Yeah, right.