2010 07 25

From TheCommandLineWiki

Jump to: navigation, search

Contents

News Cast for 2010-07-25

() Intro

() Security alerts

() Most browsers allow malicious web site to nab personal info

  • http://www.theregister.co.uk/2010/07/20/browser_info_disclosure_weaknesses/
  • The vulnerability here is actually pretty old
  • I remember talking about this four years ago
  • http://thecommandline.net/2006/11/26/the-command-line-75-listener-comment-line-360-252-7284/
  • The Regsiter has news that White Hat CTO, Jeremeiah Grossman
    • Will be talking about the vulnerability at Black Hat
  • His presentation will include a proof of concept attack
  • The issue lies with the ability for Safari, IE, Chrome and Firefox
    • To automatically fill out forms based on what a user has entered before
  • Grossman has demonstrated that a malicious site
    • Can use JavaScript to simulate key presses in fields
    • That use common field names like first name, street address
    • And trigger the browser's autofill feature
  • Safari and older versions of IE are the most easily exploited
    • Just sending key press events into form fields
  • Chrome and Firefox require a bit more sophistication
    • Using a XSS attack and only able to uncover passwords
    • Which of course is far worse, in many cases, than personal information
    • Save that Safari and IE clearly also exposed passwords
  • Grossman contacted Apple last month without any serious response
  • He explains he would have delayed the presentation
    • If any of the browser makers had acted on the problem
  • To be fair, the initial version of this problem I read about four years ago
    • Was autofill kicking in immediately on a browser loading a login form
    • Drastically reducing the effort an attacker needed to grab that info
  • I don't think that worst case has even been improved very much
    • And clearly this newer story is just a variation
    • Where an attacker works a bit harder to get at automatically filled in data
  • The best defense, clearly, is to turn off autofill
  • I don't think that is very practical, especially if you use different passwords for every site
    • A commonly recommended practice for surfing safely
  • Some password manager add ons, like Sxipper, partially help
    • But aren't a complete solution and often add a lot of extra features
    • That you may not need or are themselves subject to possible bugs and hence flaws
  • Hopefully Grossman's presentation will spur the various vendors
    • To finally develop a more effective fix
  • I think just requiring a user action or confirmation may be enough
    • To highlight automated attempts to trigger autofill

() [[#alert2|]]

- Trying to reinvigorate responsible disclosure

  • http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html
  • The Google online security blog puts forward an interest contention
    • About responsible disclosure
  • That is the compromise in the face of a research discovering an exploitable flaw
  • They notify a vendor, first, to give them a chance to fix
    • But withhold public disclosure until such a fix is available
  • The rationale is that this keeps users safer by limiting knowledge of the flaw
  • The post contrasts this approach to full disclosure
    • Where a researcher immediately publicizes a flaw on discovery
  • The thinking here, by contrast, is it pressures vendors to act more quickly
    • And gives users information that could be used to come up with stop gap measures
  • The Googlers contend that responsible disclosure is often accepted by vendors
    • But only as an excuse to delay, perhaps indefinitely, a fix for a problem
  • They seem to be arguing that the compromise needs to borrow the sense of urgency
    • From the full disclosure method
  • An upper bound on deferring disclosure is suggested
    • Say sixty days for a critical vulnerability
  • This goes with working to better characterize exactly what is critical
  • A couple of examples of rating flaws are provided for the curious
  • The authors are proposing adding an appropriate deadline for wider acceptance
    • As well as adopting as more of standard for Google's own software and services
  • There is a good concession that working to deadlines
    • Will require more aware and smart process in fixing software
    • As well as building it in the first place
  • I think that part of the discussion could easily branch out into
    • The kind of process and value improvement needed
    • To keep the risks of disclosure to a minimum to being with
  • Microsoft moves to banish responsible disclosure
  • http://www.theregister.co.uk/2010/07/22/microsoft_coordinated_disclosure/
  • Microsoft wants to drop the term responsible disclosure altogether
  • This Register piece puts the Google post into perspective
  • Both responses from the two companies were spurred by
    • A flaw reported by a Googler to Microsoft
    • And his subsequent public release of the details when Microsoft failed to commit to a fix
  • Microsoft doesn't seem to be disagreeing with Google
    • Though is much software on how to determine deadlines for fixes and disclosure
  • The implication is the Redmond giant wants to do it more case by case
    • And keep details secret on failure to agree on a deadline
  • I think we need more objective measures, like Google is suggesting
    • Tide more closely to severity and complexity of effecting a fix

() News

() Why developers should run for Congress

  • http://infovegan.com/2010/07/19/why-developers-should-run-for-congress
  • The rate at which the legislative body in an open democracy
    • Lags behind the norms of society at large
    • Is a constant source of frustration for those working in technology
  • It is possible to see this lag as very intentional
    • A means of cooling public passion
    • Just like the very bicameral aspect of many such governments
  • Unfortunately, the friction intended to make law making more deliberative
    • Is subject to a couple of disastrous failure modes
  • Sometimes public reaction is so strong, it overwhelms the metaphorical levees
  • And there is regulatory capture, where moneyed interests hijack legislation
    • To defy the usual processes and norms
    • As in the case of the moral panic over intellectual property
  • When we are convinced some technology or norm is here to stay
    • There often also arises a conflict with this precautionary approach
    • The internet being the strongest example to date
  • Clay Johnson, formerly of Sunlight Labs, has a call for those deep in the bowels of technology
    • To get involved on a firsthand basis to address this irritating gap
  • He points out programmers being under-represented as a profession
    • Is part of the reason new laws fail to better match how technology works
  • There are science and engineering types working in Congress
    • But few if any with a solid background working hands on with today's technology
  • It is important to remember that user norms don't paint the whole picture of technology
  • The anti-circumvention measures in the DMCA totally prey on that fact
  • He also explains how the process of governing increasingly relies on computer technology
  • How much of the excesses of spending on IT could be reigned in
    • If there were more members of Congress with a current background in the field?
  • He suggests that many government consultants, contractors actively prey on this ignorance
  • I really love his thought that programmers as systems hackers would hack Congress
  • I think it is a bit naive, any such long standing system will be resilient to too much change
    • But I think he is speaking maybe more to an individual Congress person's office, communications
  • We are already seeing some tension there with rules on social media
  • Maybe a hacker congress person could take some steps towards solving
    • The uselessness of electronic communications from constituents
  • It is a problem presently because there is no good means to verify authenticity
    • That complaints, concerns, other messages actually come from those
      • Who elected or can re-elect a representative
  • He also suggests developers would hire more technologists onto their staff
    • And that programmers are better at digital communications
  • I agree with the hiring, not so much on communications
  • There is strong evidence that there are simply good communicators
    • Regardless of medium, who have the wherewithal to adapt and use anything
  • I am concerned about programmers actually being less effective
    • Because of the gap that is often present between an engineers expectations
    • And how a system actually works
  • In the circles I move, I see this over and over again
    • Where some techie proposes a simple, elegant solution to a policy problem
    • That in now way addresses how to work with the system we have
    • Or even to make modest changes to improve its chance of success
  • Clay's thoughts resonate with a rant I published a few years ago
  • Namely that there is acceptance technical illiteracy
    • A resignation that this is just the way of things in the US Congress
  • Sadly, at least one techie has tried to make it into Congress, Pete Ashdown
  • There is often an incredible hurdle in the form of beating a seasoned incumbent
  • In four years, I haven't read about any other candidate coming up
    • Specifically from a technology background
  • It will be interesting to see as my generation ages
    • How many start to consider a possible political career
  • As many have speculated, even if new candidates don't come specifically from technical fields
    • Will the generational norms about technology start to have the same effect?

() Older, simpler transistor design finally realized

  • http://www.scientificamerican.com/article.cfm?id=look-ma-no-junctions
  • One of the reasons I pick stories about the physics of computing
    • Is that I take for granted exactly how things work
  • I doubt I am alone in the respect
  • As new discoveries are made, it is often useful to explain
    • How existing elements of computers work
  • That is definitely the case with transistors
  • I know they are just about the most basic element of a CPU
    • But haven't spared much thought for how they actually work
  • Scientific American had an article in the June issue
    • On a much older design for a transistor
    • Patented in 1925 by Austrian physicist Julius Edgar Lilienfeld
  • The design used today is based on a more complicated design
    • First built in 1947 in Bell Labs by John Bardeen, Walter Brattain and William Shockley
  • The double of the density of transistors in a CPU
    • Has been the driving force of raw computing power
    • The observation made by Gordon Moore, dubbed Moore's law
  • The design we've been using is a semiconductor strip
    • With layers of differently doped silicon
  • It relies on these differences, or junctions, to work
    • Acting as a conductor when an electrode, or gate, applies a field
    • Or as an insulator when the gate is off
  • The problem junctions present have to do with scaling transistors ever smaller
  • Junctions rely on a certain resolution in the material
    • A sharp difference in the density of doping in the silicon
    • That is hard to create at smaller scales
  • Lilienfield's design didn't include these junctions
    • So clearly has an advantage as we need to scale down
    • To keep driving the pace of Moore's law
  • Jean-Pierre Colinge of the Tyndall National Institute in Ireland
    • And his team have built a working prototype of a junctionless transistor
  • It is based on a doped silicon rod, a micro long and 10 nanometers thick
  • The gate cross the middle of the rod and when current is applied
    • Its field depletes the rod of its electrons, preventing electrical current from flowing
  • The prototype required less power to operate, also promising less waste heat
  • The lower switching power also means it can operate faster than a traditional transistor
  • The work was published in the March issue of Nature Nanotechnology
  • The materials used are similar to those used in today's chips
  • The scale is also compatible with the scale at which computing elements are made
  • The barrier at the moment is the length of the rod, at 1 micron
  • Colinge thinks that can be scaled down to 10nm as well
  • From the article, it sounds like it is a fabrication challenge, not a theoretical one
  • There have been a lot of developments at reducing the scale of circuits
    • So I think there is a good chance the Lilienfield transistor
    • May one day make it into our computers, perhaps re-igniting the acceleration of clock speeds
    • As well as helping to solve the power and heat dissipation issues
    • Arising from the constant demand for more powerful computers

() The trouble with multicore

  • http://spectrum.ieee.org/computing/software/the-trouble-with-multicore
  • One of my other abiding interests in the fundament of computing
    • Is the current transition from single core to multiple or many cores
  • My most recent discussion with my interview with sigflup for Hacker Public Radio
  • I know I've talked about the RAMP project before
    • Though I cannot find the link in my archives
  • RAMP is a research effort using FPGAs to simulates thousands of CPU cores
    • At something approaching reasonable speed
    • It stands for research accelerator for multiple processors
  • The goal is to push many core well beyond the horizon
    • To help drive exploration of how we can best make use of this architecture
  • One of its leaders, David Patterson, has a good article in IEEE Spectrum
    • On the state of many core computing
  • Patterson is a computer scientist at Berkeley and a past president of the ACM
  • I guess I should have guessed but didn't realize many core has a decades old history
  • Patterson mentions several hardware projects, almost all failed
    • Trying to implement effective parallel computers
  • He also ties our current efforts in parallel programming languages
    • To a deeper history of languages, again mostly failed
  • The current push for many core computing differs from the mere curiosity of the past
  • He has a good explanation of the power wall current processors have hit
    • And the switch to keeping chip density going by bundling more cores
  • This is related to the junction-less transistor story
    • In that the power wall is a function of being unable to decrease operating voltage
    • And continue scaling transistors down
  • Patterson doesn't mention any research into alternative physical systems for computing
    • Which I've been following for the past few years
    • Any one of which could buy us a bit more time to work on effective parallel programming
  • He is skeptical we'll come up with a generalized approach
    • To making programs more parallel
  • Part of the reasoning is that research was stalled until recently
    • Because of the constant improvements in clock speeds of chips
  • As the state of parallel programming stands, you need considerable expertise to use it effectively
  • He lays out some killer applications that rely on PhD level talent
  • Most of these are not surprisingly bound up in academia
    • Like simulations, such as monte carlos, or other numerical computing
    • Where the programs have data-level paralellism
  • The best example of the latter he gives is actually graphics programming
  • His work with the parallel lab, or Par Lab, at Berkeley
    • Is focusing more on potential killer applications
    • Like speech comprehension
  • Though he is skeptical of an automated or generalized approach to parallel computing
    • The article describes some low level academic work supporting that doubt
  • He suggests that digging into targeted applications
    • Might yield some insights that can be generalized
  • One area he is optimistic about is cloud computing
  • It is inherently parallel by serving so many simultaneous users
  • Each core can be dedicated to one or a few users
  • I agree but only up to a point as the parallelism will break
    • Where data needs to be shared between many users
  • In other words, we need parallel databases as well as server programs
  • If you are interested in the challenge of many core computing
    • Or want a more complete background and state of things
    • Read the rest of the article
  • Currently, I am reading Kevin Kelly's excellent Out of Control
  • I'm currently reading his discussion of Rodney Brooks' work in machine intelligence
  • It has me wondering if something more radical is in order
    • Like adopting a subsumption hierarchy
  • I wonder if Patterson's speech recognition work is doing just that
    • Pushing recognizers into independent cores
    • And driving consensus up through more cores
  • It makes you wonder if it isn't just the programs that need to change
    • But our entire approach to problems solving with computers

() Another scheme to directly profit from copyright infringement

  • http://www.wired.com/threatlevel/2010/07/copyright-trolling-for-dollars/
  • If you had any doubt that copyright has gone of the rails
    • Reading David Kravets' right up about Righthaven should clear things up
  • Righthaven started up a campaign in March
    • To buy out copyrights covering newspaper stories
  • The only reason they are doing so is to be able to threaten infringement
    • Against blogs and web sites that re-post the articles in whole
  • They profit by getting defendants to settle for more than it cost them to buy the rights
  • As an economic incentive, copyright is supposed to create market opportunities
    • To increase diversity in expression
  • Up until recently, the received wisdom is the right to exclude copying
    • Gave creators and intermediaries like newspaper publishers
    • The ability to strike profitable licensing deals
  • Pressing complaints of infringement was always secondary
    • A way to encourage proper licensing and usage through the market
  • These suits aimed at getting a lucrative settlement with the threat of ridiculous statutory damages
    • Are a new form of rent seeking, one I'd argue is only going to get worse
  • Rent seeking is in contrast to profit seeking
  • Ticket sales for a movie, even merchandising deals, could be consider profit seeking
  • Licensing rights for incidental and even intentional usage of film snippets in documentaries
    • Is more of a rent seeking behavior
  • A documentarian wants to use a particular clip because of its cultural relevance
  • There isn't really a substitutable good in this case
    • Some similar work may not carry the same popular recognition and hence cultural weight
  • Taking advantage by charging an exorbitant fee to license the use
    • Is an example of rent seeking
  • These law suits, undertaken by the likes of the USCG and Righthaven are pure rent seeking
  • They have nothing to do with profiting off of the work itself
  • It isn't event seeking a license fee, something arguably closer to the market
  • The only silver lining Kravets points out is that re-posting
    • Rarely raises to the same scale as file sharing of movies and music
  • This doesn't seem to be deterring Righthaven which is looking to acquire more copyrights
  • As far as I can tell, they are not pursuing bloggers and aggregators
    • Who use part of a story, as a quote, something that may be more defensible under fair use
  • My concern, though, is that if Righthaven taps out what they can cost effectively do
    • With complaints of wholesale infringement, they'll turn to quotes and links
  • AP has certainly made a huge fuss over quotes and links
    • Though their rent seeking has followed the more traditional model of demanding licensing fees
  • With each law firm that decides it is more lucrative to threaten law suits to encourage settlement
    • It becomes easier and more attractive for others to follow suit
  • I think we have enough data points to chart out a trend, one I think needs to stop
  • Reforming statutory damages could diminish the ability to pursue this model
  • Also pushing for a more balanced burden, the plaintiffs have to prove more merit, more harm
    • Might also change the calculus that is leading to this distressing exploitation

() Following Up

() Scribd infringement case dropped

  • http://www.wired.com/threatlevel/2010/07/copyrightfiltering-scribd/
  • David Kravets at Wired catches us up on the particulars
  • This case was unusual for advancing an odd claim
    • That the copy fed into a copyright filtering system
    • Was itself an infringement despite being used to prevent infringement
  • I don't think the idea was unique
    • I want to say this claim has been pressed before
    • But cannot find the story in my archives
  • Clearly if such a claim were upheld
    • It would make operating any kind of information sharing service impossible
  • It is the worst kind of rent seeking
    • Looking to burden even the copying used to try to respect copyright in the first place
  • The Scribd complaint was brought by Elain Scott, a children's author
  • It included both the infringement for feeding the filter
    • As well as a more traditional claim
  • The case has now been dropped
  • Scribd's lawyer attributes this to the site's fulfilling its takedown obligation under the DMCA
    • And a strong fair use defense for using a copy with its copyright filter
  • A ruling on both of those would have shored up battered safe harbors
    • As well as established a precedent against the oddball filter complaint
  • But even the dropping of the case may help other potential plaintiffs think twice
  • Kravets points out one of Scott's lawyers defended Jammie Thomas
  • In that defense the lawyer, Kiwi Camara, tried to argue the file sharing was fair use
  • The implication is that Camara may have realized
    • That Scribd had a much clearer fair use stance

() Big content re-branding their cloud DRM, to begin testing soon

  • http://arstechnica.com/gadgets/news/2010/07/dece-moving-forward-with-beta-tests-but-still-sans-apple.ars
  • Big content has been trying to make DRM more palatable
  • The Digital Entertainment Content Ecosystem, started back in 2008
    • Tries to address the complaints about device lock-in and preventing format shifting
  • It still uses essentially a key server
    • But allows authentication from different devices
  • It still suffers from all the same problems with DRM
    • In that the keys are discoverable no matter how you try to hide them
  • Further, the reliance on a network server means portability relies on being online
  • It also means the key servers have to stick around to continue to access works you bought
  • This didn't work so well for the likes of Microsoft with their home grown scheme
  • Now the DECE effort has been re-branded as Ultraviolet
    • And is renewing its efforts to become an industry standard
  • It is targeting video, primarily, and has gained quite a few backers
  • The list includes most of the studios and many high profile technology companies
  • There is one notable hold out, Apple, which could bar Ultraviolet from being very attractive
  • Jacqui Cheung who wrote up the re-branding and current state of the project at Ars Technica
    • Simply speculates this could prevent Ultraviolet from becoming a standard
  • Cheung also thinks success would be pretty palatable to the end consumer
  • That view totally overlooks the frequent failure modes of DRM
    • Even one as liberal on device and format shifting
  • It still imposes an innovation tax on new devices wishing to participate
  • Formats also get locked in even more than they are now further harming innovation
  • I think the lack of backing by Apple is more likely to undo video DRM
    • For similar reasons to its failure for music
  • If Apple keeps using its own DRM and continues to control the channel
    • Content providers are more likely to start using DRM free, compatible formats
    • As a means of getting into iPhones and iPads despite Apple's control

() Outro

Retrieved from "http://www.thecommandline.net/wiki/2010_07_25"
Personal tools