Primate Brow Flash

I’ve viewed a bunch of movies recently, most of which featured Phillip Seymour Hoffman.

Charlie Wilson’s War

See it immediately. It is awesome. I was prepared for clever jokes and a peek at how the elites behave in Washington. I got a little of that, but there were some intense, heart-breaking battle scenes mixed in along with some spine-tingling history lessons.

The Savages

This was a depressing romp in the sack with an old demented guy who writes on the walls with his own shit. Great acting all around.

Before The Devil Knows You’re Dead

“The World Is an evil place.” I thought all the bad stuff in this film was happening to me. It took me several days to recover. If you ask, “can things get any worse for these guys?”, The answer is always yes. That is, until the dude’s dad suffocates him with a pillow.

Little Children

Well, what was the point of this besides some hot extra-marital sex with Kate Winslet? It was to ponder motherhood, I guess. There are some truly uncomfortable scenes, like when that guy from the Bad News Bears chops his nuts off and then goes to a playground. There is some great humor, and there’s Kate Winslet. In one scene, Kate Winslet gets fired as a friend in this subdued, disappointed way that is one of the most honest scenes in any movie.

The option to identify myself on blogger through OpenID appeared a while ago. What is it?

OpenID is a way to verify your identity and do single sign-ons (SSO). It is a vendor neutral approach to Federated Identity. You set up an OpenID account with an OpenID provider such as myOpenId. It takes about three minutes. When you go to comment on blogger, you give them a URL associated with your open ID account. (mine is mcgyver5.myopenid.com.) Blogger then goes and checks with OpenID. If you have a session going at the time with OpenID, OpenID says, “this person is valid”. And Blogger accepts your comment. If you don’t have a session yet with OpenID provider, you are asked to login. This solves the problem of remembering a dozen account names and passwords. It also solves the problem of some joker leaving comments in forums or blogs pretending to be you. It could also prevent stuff like this from happening. Many web sites have been adopting openID, but not online retailers and banks.
Questions I had:

1. Why now? Why not in 1996? I don’t know. This is a step back from an all-encompassing solution like Microsoft Passport. OpenID is starting simple. Very simple
2. what are the security and privacy concerns?
   - your open ID provider might have a way of tracking your behavior online.
   - if someone steals your open ID account, for example by capturing your keystrokes when you log in, they would have control over your all your accounts that support openId. The security of OpenID depends on the security of your computer and your email account.
3. Should I trust the openId provider? You have to either trust them or set yourself up as an openID provider.
4. Can I hitch up my gravatar with openId? Open ID doesn’t work with “Gravatar”, though there are some requests on the gravatar site for this feature. There are services like openavatar which do something similar. For some reason, the gravatar site supports openavatar.
5. can I use my HP fingerprint reader as a hardware authenticator with openID? That would be awesome. TrustBearer has a service that allows hardware devices like card readers and fingerprint readers to work with OpenID. I don’t see a way to use the embedded HP fingerprint reader for anything other than logging into windows. Here is a John Udell post about passwordless openID used with smartcards.
6. Is there a way to have multiple IDs? Yup. It is called YADIS. It simply defines a format for collecting identities from multiple providers under one umbrella identity. It requires you to be running your own website. Yadis works with any URL-based identity scheme and is not limited to openID.
7. How is this related to security certificates for SSL?
   SSL security certificates positively identify a domain using a third party and information stored in your browser to vouch that you are signing into the website you think you are signing into and that the website is run by who you think it is. OpenID does not serve as a SSL certificate provider. However, Verisign, a provider of SSL certificates, has set itself up as an OpenID provider.
8. What stops someone from opening up an OpenID under a variation of my name and going around posting as me? When people want confirmation that I am behind a death threat, they see an imposter’s openID page with my picture and have no immediate way of knowing it isn’t me. Even if I hitch my OpenID to my own website, there could be any number of alternate online identities out there. This part I don’t fully understand yet.

sources:
pdp
sam ruby
ars technica

I have a friend who was doing a research paper once on Amelia Earhart and I used to introduce her as an Amelia Earhart scholar. This really annoyed her because she was really a scholar of how Amelia Earhart was a fake idea. I had to breathe some pretty thin air before she decided I understood what she was talking about. I still introduced her as a huge Amelia Earhart fan, of course. Females, she theorized, are accepted in the dominion of males only as far as they are willing to act like men and feminism has been irrecoverably infected by this problem. She loved the movie “Aliens” because all the women doing chin-ups on heating pipes and carrying huge guns proved her point.

She’s going to love Hilary Clinton’s story about how she killed that sniper.

I liked Deja-vu, a time travel movie with Denzel Washington. I liked it in spite of the tire squealing. Note to all movie makers: Getting from one place to another is boring, even if you drive fast and crash through gates. Getting somewhere in the nick of time is completely worn out. In fact, I’m going to start a database of movies to avoid because they feature “getting somewhere in the nick of time”. This review says it better.

What I liked about the movie is that the main character, once he starts being able to gaze into the past, becomes so infatuated with the past that disregards the present. In the only time-shifted car chase I’ve ever seen, he literally drives down a highway wearing a helmet that shows him things 4 hours in the past and he is too distracted by what he sees to pay attention to actual traffic. He, of course, gets T-boned by a semi, but don’t worry, he only gets a small scratch. Even the helmet still works. The car he is in is still drivable. This recalls my recent blog post, as it is a metaphor for how we so often walk through the world, not seeing the present because we are distracted by the past.

Stephanie Metz is an artist who makes fuzzy teddy bear skulls and other investigations of teddy bear anatomy.

One of the lectures I went to at SourceBoston was by Sinan Eren of Immunity. He was involved in a long term pen-test of a very secure network and determined that the best attack point was the anti-virus programs that were protecting the target’s email system. Anti-virus suites are typically grab-bags of parsers, unpackers and decompilers and are vulnerable to various buffer-overflow vulnerabilities. Furthermore, AVs must be allowed to bypass some common Windows security rules and configured to auto-restart quickly after a problem so that they can continue processing mail. These products, they found, did not get very specific about the reasons for crashing, so the attackers had plenty of chances to crash the AV programs without administrators being alerted.

Once they compromised the email system, they were able to monitor company emails for months until they found an employee with the information they needed. This employee was mailing logs from a program on a secure network to a third party as part of a support contract. The secure network protected from intrusion with an “air-gap”. In other words, it was not connected to the company’s normal network. Immunity was after information stored on the secure network. They sent a fake email from one employee to another with an attachment that installed a windows shell extension on the target desktop. This windows shell extension then waited for a USB drive to be installed and infected it. The USB drive was carried to the secure network and plugged in, allowing it to grab the information and take it back to the original desktop. Once there, the shell extension delivered it to the attackers.

A Shell extension was used because they are not blocked by any antivirus. Also, shell extensions do not require admin privileges. Another wrinkle is that the attackers used a novel way to control the extension once it was installed. The extension was a program called “PINK” which searches for and visits certain weblogs in search of instructions. This type of traffic is difficult to detect because it hides in normal web traffic generated by the employee using the internet. It also frees the attacker from having to communicate directly with the program they have installed. PINK will soon be part of Immunity’s Canvas tool. The instructions for PINK are encrypted and embedded in HTML comments on random blogs throughout the internet. So, the PINK client will do a google search for some string and parse the results to find out what it should do. In this case the instructions were: “report what folders were on the target machine”. Once the attackers noticed folders from a removable device, the instructions changed to “infect the device”.

I ran into Sinan at the airport and after I helped him up, I chatted with him for a few minutes. He said AVs were a big unknown hole that have yet to be fully explored. He also said the same about VMWare. I guess anyone can cryptically hint at grave vulnerabilities in popular software, but this guy carries a lot of weight.
slides from Sinan’s talk.
The part about PINK is here.
an interesting article about Immunity

Later on I did some penetration testing of my own at Dunkin Donuts.

Richard Clarke, counter-terrorism czar of the Clinton Administration and the early Bush administration spoke at Source Boston. He was an entertaining and inspirational speaker. His point was that The United States was not prepared for cyber war because it wasn’t a priority of the Bush administration. He cited two wake-up calls in 2007 have upped both the priority and funding of cyber-defense: Russia’s cyber war against Estonia and a pentagon break-in. Estonia, now a NATO ally, was attacked and NATO could do nothing in defense.

So, the money tree has been shaking and funds, real funds, meaning billions of dollars will be flowing into the security field including training, defense, offense and research. While this is probably a good thing, he worried that there was no requirement of disclosures of vulnerabilities that resulted from the research. The instinct of the people doing the research might be to horde the vulnerabilities they find so they can be used against enemies instead of informing the American public about them.

Some other incidentals he found interesting:

• China’s internet can close itself to outsiders if needed and ours can’t.
• Digital picture frames infected host computers, collected personal data and mailed it abroad. article
• As discussed here, USS Yorktown’s COTS operating system freezing and leaving the destroyer dead in the water. If we don’t get cyber-security right, then we, the worlds strongest superpower, will freeze and be defeated in some future conflict and be left the same position the British found themselves in at Yorktown.

One thing he called for was regulation. He thought ISPs should be regulated and forced into the business of preventing spam, malware, DDOS and bot networks. I worry, though, that if regulated, the ISPs would also be very good at preventing slights against business interest, criticism of the government, and even discussion disruptive technologies.

Dan Greer was one of the most interesting speakers at the Source Boston. While others like Jeremiah Grossman and Roger Dingledine zoomed in to specific subjects, this guy was looking from 1000 miles up.

His speech can be read here.

His speech was a comparison of computer security problems to evolution. For instance:

If we look at Nature in the form of the equations of ecology, we also see two alternative games for survival, r-selection and K-selection.[PER] R-selected species produce many offspring, each of whom has a relatively low probability of surviving to adulthood. By contrast, K-selected species are strong competitors in crowded niches, and invest more heavily in much fewer offspring, each of whom has a relatively high probability of surviving to adulthood. If we change the term from “produce many offspring” to “re-image frequently” you now have precisely the advice Microsoft’s D’Anseglio gave when he said, “[In] dealing with rootkits and advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit.” This brilliant remark is a direct, if inadvertent, suggestion that desktop machines need to be r-selected, i.e., they need to die and be re-born often. If you are of a mind to invest in virtual machines, you may get r-selection as a side effect to whatever it is that you are trying to do with VMs.

Life is programmed to die. This is a missing feature in all operating systems.

He also touched on malware as evolving from predator to parasite to symbiot. A criminal may protect our computers from further infection better than the average end user. In other words, as long as the criminal is getting what he wants from us, he will reciprocate by making our computer secure because it is in his best interest.

Bloggers are doing a pretty good job of covering the conference.

Got to see a presentation by Roger DingleDine, the leader of the Tor Project.

Tor is a network that anonymizes traffic through a series of relays enabled by volunteers all over the world. The traffic is encrypted so that owners of individual relays cannot read the traffic unless they are the entrance or exit nodes. When you use Tor properly, the site you are visiting cannot tell who you are and neither your government, your ISP, nor your employer can determine which sites you visit.

I think Tor is about the coolest thing in the world, but it isn’t without problems. His talk explained several pitfalls that Tor as a network has. He also raved a bit about some new features due out soon. Get Tor here or get the Firefox extension.

• He went over the big Tor story out of Sweden where a researcher set up several “exit” relays and monitored the traffic to discover the email login information for several embassy employees. Tor was criticized for this on Slashdot and in Wired, among other places. He said the criticism stems from a misunderstanding by users of how Tor works. Tor does not magically encrypt the entire internet. Users still have to use https to encrypt traffic between the exit relay and the site you are actually visiting. Roger pointed out that the same sites that criticized Tor for this breach are not available in encrypted form. So, to sum it up, if only for myself, the anonymity of the users was compromised in this case not because the Tor network revealed the origin of their communication, but because the text itself, as read by the owner of the exit node, contained identifying information because it wasn’t encrypted.
• Tor uses the DNS of the relay. This means that if your network’s DNS service is unavailable or corrupted, you might still be able to use the internet. By the same coin, limitations on the the exit relay will affect the Tor user. So, if you emerge at an exit node in China, it will be subject to the DNS limitations on that exit node.
• Countries may effectively block Tor because Tor must publish its directory and directory requests from Tor clients are in plaintext. This will change soon as Tor adds an option to encrypt its directory requests, making it harder to detect a Tor request. Also, in an effort to conform to standards, Tor traffic identifies itself as such in the TLS handshake (the exchange of keys in secured traffic) and those in control of the network can spot this and kill it.
• Countries may still compile lists of Tor relays. The new version of TOR will combat this by allowing more regular users of Tor to check a button labeled “help other Tor users who are being censored”. This option will make them into a “bridge” or access point to the TOR network, as explained here.
• At the other end of things, sites can also block Tor users. One reason they do this is because a lot of them get abused by Tor users and find it not worth the aggravation to allow TOR users on their site or network. For example, Wikipedia often prohibits article editing for people coming from TOR exit nodes
• Roger is enthusiastic about products like “Nym” and “Nymble” which give blind tokens to people who wish to visit a site like Wikipedia, allowing the site to verify the visitor, while keeping the visitor anonymous.
• A company not willing to allow its employees complete anonymity WITHIN the network, but that wishes to prevent outside sites from seeing that company as the origin of traffic can install a Tor relay on the perimeter of their network. This kind of use adds corporations as stakeholders in Tor development.
• Learned exactly what Privoxy was for. Normally, when you type an address like phpsolvent.com into the Firefox address bar, Firefox will issue a DNS lookup for phpsolvent.com. That means that your computer will issue a “HEY EVERYBODY I’M LOOKIN’ FOR phpsolvent.com OVER HERE” message and leave it to whoever is watching your network traffic to guess where you might be surfing to, even if you were masking your actual visit with Tor. Tor uses privoxy to hide this DNS request (it passes it along to the relay). In future versions of Tor, the Privoxy functionality will be built into Tor itself.

This serves as another warning about giving your username and password to third party applications:

creator of G-archiver was secretly collecting usernames and passwords.

A programmer wrote a neat application that backs up your gmail archives. In the code was a little piece that delivered every password to the creator’s gmail account.

This is a great approach: If you are an internet criminal, devote your time to creating a useful application that contains some sort of back door that lets you collect their personal information. I wonder how many other third party apps are doing this and what is the term for this type of attack?

via Google Blogoscoped

by Tim Powers.

I grabbed this book from the library because it was a time travel book.

Tim Powers loves complicated time travel plots and delves into the technical details of time travel and resolves all lose threads. So, I trust him not to leave me hanging.

I also trust his slapstick instinct.

The end of the book was like farting after an overdose of muscle relaxants. all the tension he managed to build up over the course of the book was lost. He obviously had to tie many loose ends up and provide a “bang” and didn’t quite pull it off (or even try?). I don’t think he wrote the end first as writing courses will teach you.

The cover blurb promised “Genre Busting” which I found out means he used tired out staples all over: Kaballists, Pyrokinesis, TV sets channeling ghosts, Einstein, Charlie Chaplin, the Mossad and ancient Christian Sects. But, hey! It had time travel! And the time travel was very well done and the paradoxes were handled well. In fact, this book spent more paragraphs having characters ponder the paradoxes than any time travel story I can remember.

read all about it.

Children of Men. How well does it predict the Coming Global Shitstorm (CGS)?

Perfectly.
20 years from now, after a series of catastrophic meltdowns, random violence, soldiers and cages full of deportees are the norm. Even though everything has gone to shit and there is no future for mankind, people still cling to their meaningless existences and get by with pills. The main character sleepily strolls past walls of soldiers protecting an artificial environment where legal citizens are still free to stumble around buying coffee. In an even more protected environment, we briefly glimpse the rich cavorting in vast picnic grounds.

Humans have carried a fascination with the end of the world for as long as they’ve had imaginations. We must, for our own survival, use our vivid imaginations to dream up scenarios where water, food and shelter cease to exist, where disease and war and pests come and take away everything. We are made that way and science fiction stories about total collapse of civilization are an outgrowth of that. I’m going to devise a theory that every sci-fi construct (zombies, time travel, alien invasion) is an outgrowth of some fundamental human discomfort.

Though it gets the CGS right, it isn’t much of a movie. There are a few important scenes, some sketches of characters and then a long drawn out action sequence at the end that is barely worth watching. The movie is excellent for its imagination of the shitstorm, though, especially the way things appear to stay the same until the shitstorm happens to you. Until it does, we’ll fastidiously maintain our lawnmower while the guy 20 yards to the east maintains his, so when one of us evaporates in tiny mushroom cloud, the other will be able to soldier on.