Primate Brow Flash

The Daily Dave is the watering hole of the security community. It features regular posts from Joanna Rutowska, Dave Aitel, H D Moore, Fyodor, Dan Geer, Sinar and others that I probably should recognize.

Today, they had a thread about the concept of no more free bugs, which Joanna Rutowska and PDP handily shoot down. Also links to her amazing blog as well as a blog I’d never heard of that is almost supernatural in its awesomeness. I refer to http://xorl.wordpress.com/.

Google Blogoscoped links to a study of geotagged images.
This research project generates very interesting maps by collecting data from geotags. This data is not limited to longitude and latitude, but incorporates time of day, and details from the pictures themselves to map out where in the world all the pictures on flickr were taken. They suggest that in the future, the social network contacts of the user can be used as well.

The paper is here.

what they have concluded is that their method can generate better representative images of a search term than the image tags on flickr. Their method may also be used to guess at geotags to help the user as they upload new photos.

I went and watched Gunnar Peterson present an excellent overview of the state of Web Services security.

He had two points that hit home for me. One is that security vendors and developers are on different planets. It brought back memories of having to authenticate a web application using SAML with a device called “Reactivity”. It was 2 weeks of living hell. There was no documentation and no feedback about what I was doing wrong. As a developer, I would have needed a training or at least a hair follicle on which to base an investigation on what to do. Shudder. I liked his point that both developers and security pros need to take some steps towards the other.

Another point was how much of web services security was really left up to the developers and integrators. I saw this working with Oracle’s OAAM. The product can be perfect, but it is up to a team of developers to implement it properly.

He introduced the development of an OWASP top ten for web services. He went over examples of how people screw up web services security. Most memorable was the MQ product by IBM which has anonymous access turned on by default, and a recent error in Google’s Single Sign-on.

Another point was how ruthlessly stateless web services really are. There was a lot of talk on preventing “replay” attacks, which happen when a third party sniffs unencrypted web traffic containing web services calls and sends the exact same instructions again. the listening server has no way to detect if this replay is valid. In web applications, nonces (no more than once) can be used to ensure that replays do not happen, but it is difficult to “hack state back into the protocol”. For these reasons, https needs to be used for sensitive web services transactions. He was careful to say that for most web services implementations, there is a long, long way to go to improve web services security before you need to start worrying about replay attacks. Some of these improvements include proper schema/DTD validation, data type validation, data size validation, message authentication, authorization and logging.

A good web services development and testing tool called soapUI also serves as a good web services hacking tool. With it, you can take any publicly available WSDL and craft attacks against it. Gunnar’s slides took us through using this tool against Web Goat and made it look very easy.

Other points about Web Services. They were created to run on Port 80 so that they would be allowed through firewalls like regular web traffic. As Bruce Schneier said, “A ‘firewall friendly protocol’ is like a skull friendly bullet”

I’m always glad to have gone to OWASP. I was really grumpy before going yesterday afternoon, but the bike ride over there cleared my head and I managed to cram a few more bits of info in. The meetings are free and open to everyone.

Cynical-C has an ongoing feature where he posts one-star reviews of classic books, music and movies:
see if you can guess which works these are from:

when a monkey threw a bone up in the air so high that it went into space and morphed into a rocket-ship I was done with this garbage.

This book was required reading for my tenth grade English class, and I had to buy the Cliff Notes because I couldn’t stand reading one more “aint”.

SNORE. I can’t believe some of you dorky stoners trapped in the ’70s have the nerve to call this album a “masterpiece” or “one of the best albums of all-time”! LOL, MUSIC NERDS! You people can’t be serious. They didn’t even get any MTV or BET airplay. I suggest you listen to a great album like “St.Anger” by Metallica or “Lost Highway” by Bon Jovi if you want a taste of what real music should sound like.

Thank God Ms. Lee only wrote this book; surely her next would degrade society even further.

For one thing, I don’t like to watch things with witches in them, especially if one of them is portrayed as a “good witch” - that’s an oxymoron I can’t reconcile with.

There are murders, but not very unique ones. If I wanted to read a good murder mystery, I would go to Thomas Harris. Every event in the entire book was based on this unrealistic relationship between Daisy, Tom, and Jay.

This book is pathetic. Many people called it a “classic.” It’s the book that killed John Lennon. Oswald had a copy. So I thought “What the heck?” I then embarked on four hours of my life spent reading this complete testacle sack of a book;

What a load of rubbish. War is ugly and brutal, but it is not “insane.”

He’s an American soldier during WWII. However, don’t mistake this book for your average war literature, because it’s not. This book is CrAzY! From the get-go, you’ll be confused. Not because you can’t read but because the book isn’t in chronological order,

A salvage yard is an excellent place to find useless crap. This disk was lying in the dirt next to a wrecked car. The yard was filled with tales of woe. The wreck of our Mazda MPV was there and I had to go get some of our crap out of it. Crap like this oozed from cracks in the wrecked cars. All this crap made kind of a snapshot of what the car owners were up to in their lives at the moment of these life-changing collisions. (everyone here is fine, by the way.)

we’re doing some belt tightening:

Dear Kate,

Your Netflix membership has been cancelled, effective 04/16/2009.

Please return the following titles by their specified due dates:

Due Date Title

04/23/2009 The Bourne Identity (2002)
04/23/2009 The Big Lebowski (1998)
04/23/2009 Weeds: Season 1: Disc 1 (2005)
04/23/2009 Weeds: Season 1: Disc 2 (2005)

We hope you enjoyed the service and will consider returning some day.

-Your friends at Netflix

I listened to Speaking of Faith on Palm Sunday. It was a rebroadcast of a talk with Jewish scholar Avivah Zornberg. She illuminated the Exodus story beautifully. Well, she illuminated way more than that. For instance, I never really understood the function of the Talmud. It turns out it is at least partly filled with fan fiction about the bible. Zornberg used a few examples of how stories in the Talmud spun off of the Exodus in order to teach further lessons. Such lessons!

You find that when Israel were in harsh labor in Egypt, Pharaoh decreed against them that they should not sleep at home nor have relations with their wives. Said Rabbi Shimeon bar Chalafta, “What did the daughters of Israel do?” They would go down to draw water from the river and God would prepare for them little fish in their buckets, and they would sell some of them, and cook some of them, and buy wine with the proceeds, and go to the field and feed their husbands … And when they had eaten and drunk, the women would take the mirrors and look into them with their husbands, and she would say, “I am more comely than you,” and he would say, ‘I am more comely than you.” And as a result, they would accustom themselves to desire, and they were fruitful and multiplied.

It sounds like their husbands were beaten down by slavery and the only way to get them to show any signs of life was to start an argument. I’ve been there.

The other part of the interview that intrigued me was the tradition of encouraging questions. Partly to overcome the crushing burden of living in a totalitarian state or in slavery, the tradition is to throw the deck of cards in the air and ask questions. They note that the problems the Israelites seem to have suffered in Egypt has parallels with those living in totalitarian regimes. They lose the ability to question the way things are and the ability to hope for a change. I’m going to go beyond totalitarian regimes and say that we all live in a dictatorship of things that we don’t question.

This show made me think that maybe I’ve been too accepting of the way things are. I forced myself to make peace with our insane society, saying, “can’t change people”. This show helped shake things loose a bit.

Studying for Java certification, I’m still working through Niko Java’s fake exams. Today is Generics.

I just caught a clue about type erasure and I want to document:

The secret to generic types is that they are only for the compiler to look at. In the final compiled product, they have been stripped away. This is called type erasure. The compiler just checks that the program, when it finally runs, cannot violate the agreement entered into with generic type declarations.

This affects method over-riding in the following way:
if the method in the Child has a generic type and the parent does not or the parent has a different generic type, the compiler will see these as two different method signatures and not as a case of over-riding, so over-riding fails. But the compiler also knows that in the end product, the generic type definitions will be stripped away, leaving two methods with the exact same signature, but with no instructions of which one to call. This will result in the compiler error theMethod in parent and theMethod in child “have the same erasure, yet neither overrides the other”

If the Parent has the generic type while the Child does not, then method override succeeds and the program will compile with warnings about type safety. These warnings mean that as a result of a mixture of generic types and non-generic types, the compiler cannot guarantee that at runtime, there will be an unexpected type thrown in somewhere.

Biking home in the wind, I decided to be more mindful and concentrate on details. The wind pushing against my face was the overbearing sensation, but I concentrated on what I could notice about the wind and besides the wind. What was the wind and what wasn’t the wind. I determined that most things were NOT the wind. This helped. I noticed the refuse I passed in the streets. A trail of crushed batteries that perhaps fell out of another bikers light. A demolished CD by the group Everclear. The ten of hearts. An old shoe. I noticed that the streets around the capitol building are extra clean. Como is extra dirty. I want there to be more to the garbage, but garbage is by definition not worthy of notice.

I rode this used bike the other day and I really wanted it. It rode like a dream. The handlebars made for a really comfortable fit. It is a Surly Crosscheck frame. Most of the parts are high quality replacements/upgrades.

http://www.flickr.com/photos/hiawathacyclery/3398821465/sizes/m/
It is a magnificent commuter / casual bike. It has a generator hub in front and a three speed internal hub in the back.

Find it at Hiawatha Cyclery.

let me introduce you to niko’s java blog. Niko invents long, repetitive java mock exams. The repetition is an excellent way to learn and remember all the things you’ll need for the exam. I find that by answering each question and giving a reason for my answer gives me better understanding. It’s taken me a week to get through just his collections exam, but damn do I know collections now. And I THOUGHT I knew them damn well before. Never let anyone tell you that the Java Certs are worthless. Studying for this exam is filling in lots of gaps and putting important concepts at my fingertips instead of a web search away or an hour of trial and error away.

I went out for a bike ride at about 7:00 and just rode west on the greenway until I saw the Coffee Depot. I had planned to just ride to uptown or something. anyway, here is the route. It was all on bike trails and I had lights along. What didn’t work: I was dressed entirely in cotton.

That is the first time I used gmaps pedometer. A very handy tool. I’m not sure their calorie counter is accurate. Wouldn’t I be dead if I burned 5000 calories in two hours?