Dave's Bit Bucket

Dave Walker's jottings - mostly pertaining to security

All | Cooking | General | Java | Networking | Security

« Previous page | Main | Next page »
20070726 Thursday July 26, 2007

Blindside

If you're not yet familiar with http://www.blindside.org.uk/, it's a blog / wiki site on which some interesting folk are recording some very forward thinking. The remit of Blindside is basically "take UK society in general, add technology (taking emerging technologies into consideration), and figure out what issues Government will face as a result, in 5 years' time or so".

Blindside is sponsored by the CSIA, and the Blindside folk are required to report their findings to CSIA on a regular basis. While the Blindside folk have a very large amount of experience, they acknowledge that they can't be experts in everything - so, particularly for the Wiki items, they encourage experts in the relevant fields to contribute to, and correct errors in, their records.

So, the bottom line is: if you care about UK Government's approach to technology, particularly technologies you are well-versed in, go to Blindside, read what's there, be intellectually stimulated and contribute your own wisdom, when you're not busy with your day job.

Thank you.

(2007-07-26 02:33:30.0) Permalink Comments [0]

20070607 Thursday June 07, 2007

London Olympics 2012 logo Rorshach test

Much has been written and blogged about the logo unveiled the other day for the London 2012 Olympics.

It's supposed to be a graffiti-style representation of the number "2012". I had to have this explained to me - hopefully when posters featuring it start going up around London, council workers will paint them out, just as they do with Banksy's works. (In fact, here's a thought - Banksy really ought to design a London 2012 logo and paint it somewhere near Canary Wharf so the 2012 Committee see it on the way to work).

Surprisingly, it also seems to work as a Rorshach test (the best comment I've overheard is "what is Lisa Simpson doing to that poor man?"), and a puzzle that folk are playing with to see what other figures they can make with the individual shapes presented.

All being well, normal service will be resumed shortly...

(2007-06-07 07:59:27.0) Permalink Comments [2]

20070521 Monday May 21, 2007

The B Road Algorithm

I can't take credit for this posting, on the grounds that the algorithm was created by my old pal Clive, but AFAIK he hasn't blogged about it.

If you've ever been out travelling in the UK at lunch or dinner time, and been stuck for ideas as to where to eat, you'll like this. Grab your atlas, find a nearby large town, and look for a smaller town or large village connected to the large town by a B road.

On this B road, you are pretty much guaranteed to find a pub serving good food.

Back when I was living in Huntingdon, Clive and I often used to head off on jaunts at the weekends to see different places of interest around the country; the resulting extensive testing of the B road algorithm has showed it to work pretty much everywhere in rural England, Scotland and Wales except, for reasons we couldn't fathom, Lincolnshire.

So, as summer arrives and the mind turns to travel, consider using the algorithm to find good places to eat. It will help support the local economy, too. I'd be glad to see comments on how well it works for you.

(2007-05-21 03:54:28.0) Permalink Comments [2]

20070510 Thursday May 10, 2007

Passengers rebel against airport "security theatre"

It seems I wasn't the only one listening to the World Service last night; there were two stories of interest to security geeks, and here's "the other one" (no web imprint appears to be available right now, though).

Since the apparently-thwarted attacks intended to happen last August, people boarding aircraft in the UK have been subject to particularly stringent restrictions regarding what can and cannot be carried in hand luggage.

It seems that many folk have had enough of this "security theatre". Passenger numbers are down, not only as a result of folk deciding not to fly, but also some folk are starting to take Eurostar to either France or Belgium and fly from there. Sadly, the number of assaults against airport staff is also up - particularly those involving emptyings of liquids from bottles of > 100ml capacity over the heads of airport staff.

A BAA spokesman said that "around 90 percent" of passengers have to perform some remediation of their hand luggage at security, and since the restrictions have been in place, over 200 tons of items in breach of them has been confiscated nationwide. The figure is 95%, at one particular (unnamed) regional airport.

Naturally, some folk have tried to be inventive; I was hoping that the guy who filled a bottle with water at home and froze it, would have succeeded in his argument to take the bottle on board on the grounds that its contents weren't a liquid...

(2007-05-10 07:39:06.0) Permalink Comments [0]

20070509 Wednesday May 09, 2007

Posting in even stranger places...

Following a little branching-out into blogs.sun.com/security, I was invited to post a thought on "propagation of data that some folk might want suppressed" on samizdata.net, in particular how traditional samizdat and new samizdata differ in propagation. Folk interested in this area may want to have a read...

(2007-05-09 04:32:35.0) Permalink Comments [0]

20070504 Friday May 04, 2007

Winding up the Sun

(A note to readers; this posting was originally written on the 1st of May, I just haven't managed to upload it until today...)

This is nothing to do with causing colleagues to briefly hold false opinions for personal amusement, but rather, observing one of England's more amusing ancient traditions.

At dawn this morning (05:32!), the Hook Eagle Morris Men gathered outside my local to bring in the May Day dawn. If you've never seen these guys, they're not your typical Morris troupe - forget the whites and handkerchieves, their outfits comprise black shirts and trousers, frock coats with tails (for the musicians - two accordions, two violins, a tambourine and a recorder), waistcoats which look like they were made from cut-up road workers' fluorescent jackets, and top hats adorned with pheasant feathers and fox tails. To cap it all, they black their faces up and wear dark mirrorshades, so it's very much "Morris goes post-Cyberpunk". Oh, and they're serious with their sticks - they don't pull their blows, and there were some splinters flying!

About 20 folk turned out to watch, and a bunch of us (me included) were roped-in to go through one of the simpler dances ourselves. It's harder than it looks, especially if (like me) you have a slightly iffy leg. At about 06:15, Adrian the landlord opened the pub for breakfast - a bunch of the Morris Men went so far as to sink a couple of pints, although as the sun was barely up, never mind over the yardarm, I settled for a nice mug of tea.

Photos of these guys doing their stuff can be found here; their main website, with timetable of currently-scheduled appearances, is here.

Hint: Go read the docs on the website, especially if you're fond of the kind of English irony espoused by lovers of real ale.

After a busy day's work (involving a design meeting and a trip into London to present at the Intellect Security and Privacy Working Group, followed by a very enjoyable curry with the group's vice-chairmen), I was too tired even to put my "Wicker Man" DVD on when I got home...

(2007-05-04 08:08:56.0) Permalink Comments [0]

20070413 Friday April 13, 2007

UK parties doing "Politics 2.0"

As well as keeping up to date with current affairs, I find it interesting to keep an eye on how our political parties make use of current technologies to communicate with the British electorate.

As well as taking RSS feeds for a small number of MP's contributions to Commons debates from the excellent http://www.theyworkforyou.com/, I'm also signed-up for Conservative, Labour and Liberal Democrat email newsletters. Labour's approach to content is probably the slickest - the mails come from real individuals, are most visually varied and the feedback mechanism looks straightforward, whereas the Conservatives major in consistency of format.

A number of politicians blog on their specific subject areas; the Conservative approach is to host individuals' blogs on sites dedicated to their specific subject areas, the Labour approach is to host blogs on their main site pertinent to issues rather than individuals, and the Lib Dems - while they have group blogs for specific events (such as this one for their 2006 conference) tend to run with the model of bloggers using sites such as blogspot or their own. Interestingly, the Lib Dems appear to most supportive of blogging; they have their own Blog of the Year Award.

Moving on to multimedia, the Conservatives started the "UK politicians posting reasonably candid video-clips" trend with WebCameron; Labour has gone mass-market with LabourVision, hosted on YouTube. I'm sure the Lib Dems will follow suit, shortly.

Now that digital television has vastly increased the number of channels available to consumers, I think the penny is starting to drop that there is no longer a captive audience for a Party Political Broadcast, as I've not seen one for a couple of years.

Who knows - the day may come when a party develops its election manifesto on a public-facing wiki...

(2007-04-13 07:22:59.0) Permalink Comments [0]

20070329 Thursday March 29, 2007

Reality and Classic Comics

So, the UK is about to get a Ministry of Justice. Meanwhile, the debate about what summary powers to give to the police rolls on.

I've seen this somewhere before. I wonder what the UK might look like in 2031, when it comes to law and order...

(2007-03-29 06:58:04.0) Permalink Comments [2]

20070319 Monday March 19, 2007

Vulnerability Description Languages and Classifications - Empirical Validation of Muffett's Second Law?

Way back when - at least 8 years ago, by my recollection - my pal Alec posted the first disclosure of "Muffett's Second Law", which states:

"There are no new security bugs, there are merely ever-more-complex reincarnations of the same classes of bug."

While this appears to fly in the face of a huge plethora of vulnerability disclosures at first sight, there's method behind this. Consider the ways in which vulnerabilities can readily be grouped:

  • stack or heap overflows / smashes
  • connection source spoofing
  • cache poisoning
  • dictionary attacks
  • data injection into existing sessions
  • session replay
  • introduction of "unexpected" data (eg numbers outside expected ranges, strings of greater than expected length)
  • reference rewriting (whether to force or block branches within self-contained code or to perpetrate cross-site scripting attacks...)
...these attack mechanisms appear to have remained pretty invariant in terms of concepts - although the means of implementation have shifted - over the time I've been professionally involved in computing.

The fact that a vulnerability description language has emerged to handle structured vulnerability disclosures, and a dictionary of terms is being compiled to assist with consistency of same, suggests that this particular Muffett's Law has a good degree of truth behind it...

(2007-03-19 07:28:15.0) Permalink Comments [3]

20070304 Sunday March 04, 2007

Beyond "Web <foo>.0" - Extending the OSI Stack

Everyone (and I mean everyone) is sounding-off about "Web 2.0". Fortunately, many smart folk are beginning to realise that it's way too general a term - in that it can be applied to way too many things - and are beginning to reduce their usage of it and talk about such more readily-definable things as "participation" instead.

I think it's about time, not only as a result of the "Web 2.0" thing, that the OSI stack was formally extended. While the page quotes 'A common joke is the 10 layer model, with layers 8, 9, and 10 being the "user", "financial", and "political" layers, or the "money", "politics", and "religion" layers', I think we now actually have:

Layer 8: Purpose

This is something we're already starting to see in SOA representations, where transactions are taken to the point of being shown not as what they are (eg write record to Oracle) but as what they're for (eg debit customer account) at a business process level. Doing this enables folk to do all manner of drag-and-drop workflow construction and analysis - this clearly sits above Layer 7, as it involves mediation of application interactions.

Layer 9: Liability

This hasn't really happened yet, but will have to once SOAs go multi-enterprise - I expect it will also be retrofitted to existing models. Fundamentally, if have a contractual arrangement with some service which advertises a QoS that it doesn't meet, you need to nail someone to get your money back. This maps not only to the "financial" layer in the quoted spoof, but also the "user" layer - if proof cannot be determined that the failure to meet service level is the result of someone's activity within either the organisation you're trying to nail or an organisation who provides services to them, then the chain of justice can't proceed beyond your original suit to the point where a perpetrator gets what's coming to them. I have some thoughts on what could potentially be done in this area, but I'm saving them for my traditional April 1st "Jest in Sober Earnest" posting :-).

I also have some ideas around the "political" piece - inasmuch as policy would be the thing which drives a mechanism regarding what is chosen to communicate with or not - but these remain Sun-only for the time being ;-).

(2007-03-04 06:53:56.0) Permalink Comments [0]

In Memoriam

My Dad died 10 years ago today. It's fair to say that he was the biggest influence on my life so far - not only in terms of genetics, but also as teacher, shaper of thought processes, and bloody good pal.

George William Leonard Walker (6th May 1934-4th March 1997), RIP.

Here's to you, mate (fx: raises pint of good ale).

(2007-03-04 06:14:19.0) Permalink Comments [0]

20070303 Saturday March 03, 2007

"Web 2.0 in 04:31"

I'm not a big YouTube user, mostly because the footage looks like it was shot through a lens made of Tupperware. However, if you've not seen the 4.5 minute video by Michael Wesch from Kansas State Uni, go here and watch it. Trust me on this, it's worth the time. Also, a really handy point if you're working in an open office area, is that the message still comes across just as clearly with the sound off.

Slightly OT, but when it comes to presentations in Lessig style (such as Hardt on "Identity 2.0" here and Muffett on business blogging here), I think watching the footage with the sound turned off makes for an interesting effectiveness comparison - if the message is still communicated effectively sans audio, the job's well done.

I've not tried doing a presentation myself the Lessig way yet, but am considering it at some point where realtime audience interaction isn't a priority.

(2007-03-03 07:41:45.0) Permalink Comments [2]

20070221 Wednesday February 21, 2007

.gov.uk Goes Mad, Again

I had to do a little paperwork for the company car scheme yesterday, to acknowledge the fact that the allowance I get for running a private car has gone up. While this is no inconvenience (getting a little more cash is always pleasant), I was surprised by an additional paragraph and set of bullet points in the email from our fleet manager, which read thus:

On 1st July 2007 the Smoke free premises and vehicles legislation regarding smoking in vehicles comes into force (in England), with proposed fines rising to £2500. Company vehicles are affected as the ban covers all enclosed public places, the law covers company cars, pool cars and hire cars. If a company car or van is likely to be used by more than one driver, or carry passengers on business, regardless of whether they are in the vehicle at the same time it must be a smoke free zone. Although privately owned vehicles are not covered by the new law it is unclear if privately owned vehicles are affected if they are being used for business purposes.

Exemptions

Drivers of convertibles will be exempt as long as the roof of the vehicle is down when they or their passengers are smoking. Smoking is allowed in vehicles which are for sole use of the driver and are not used by anyone else as either a driver or passenger. Proposed fines:

  • Smoking in a smoke free vehicle – between £50 and £200
  • Failing to display a clear no smoking sign in a smoke free vehicle – between £200 & £1000
  • Failing to do enough to prevent smoking in a smoke free vehicle – up to £2500
Various aspects of this astonish me. First, I'd have thought that the interior of a privately-owned vehicle - whether used for business purposes or not - was most definitely not a public place. After all, I'm allowed to keep people out of my Aston by the simple act of locking it, and I get to decide who does and does not get to sit in it. That's hardly conducive with it being classed as "public", especially since I don't have to post a set of opening times in the window.

Second, having to display a sign seems rather over the top - simply telling people not to light up should be sufficient. In the (hopefully unlikely) event that I have to put one of these things in the Aston, it'll hand by a thread from the rear view mirror - I'm not putting anything adhesive on my leather and carbon fibre dashboard.

Third, what constitutes "doing enough to prevent smoking"? Reductio ad absurdum and with tongue at least partly in cheek, in the event that someone sitting in my passenger seat lights up, can I legitimately remove my cockpit fire extinguisher from its bracket and discharge it in their face? Would I, by doing this, not only escape the £2500 fine but also the charge of common assault? If I'm driving at the time, does using a fire extinguisher carry the same penalty as using a mobile 'phone?

I suspect there will be some bizarre test cases around this legislation when it comes in (and a colleague who shall remain nameless has already told me that if I ever need to do the fire extinguisher thing, he'll cover my legal costs provided the moment is captured on video for posterity and posted to YouTube...).

I don't want people smoking in my car anyway, but this legislation seems decidedly crazy.

(2007-02-21 03:50:50.0) Permalink Comments [3]

20070216 Friday February 16, 2007

Tempus Fugit (well, Summer Time, at least)

The US has decided to change the dates at which transitions between Daylight Saving (aka Summer) and Standard time happen; specifically, the US Energy Policy Act of 2005 (EPACT) mandates that Daylight Saving Time (DST) in the US start on the second Sunday in March and end on the first Sunday in November starting in 2007. In 2007, the start and stop dates will be March 11 and November 4, respectively. The start date for DST in the US was previously the first Sunday of April and the end date for DST in the US was previously the last Sunday of October.

Most Canadian provinces, and the Bahamas, have announced that they will follow suit. Some other countries have yet to decide.

Either way, if you have systems which are in timezones anything from GMT-5 to GMT-10, or which interact with systems there which aren't on UTC, you need to know about these changes and potentially apply patches.

See http://www.sun.com/bigadmin/hubs/dst/.

(2007-02-15 16:10:33.0) Permalink Comments [2]

20070214 Wednesday February 14, 2007

Happy Birthday to me...

I got another year older yesterday. I didn't blog about it on the day, as I wanted to see how everything turned out first - it turns out that it was the best birthday I've had in a long time :-).

I'm in California this week, at our internal Security Ambassador conference. I'm presenting a number of sessions on various fun things. Anyway, yesterday started well; at 07:00 I got a wake-up call from a colleague back in the UK who sang "Happy Birthday" to me, I got a couple of surprise cards from folk in the office, and there was a full chorus of "Happy Birthday" from the audience after I'd finished one of my presentations and before they'd let me off the podium :-).

Then, dinner. There's probably no finer way to spend the evening of your birthday than surrounded by a bunch of pals from all parts of the world, and who you get to see rather less of during the year than you'd like, crammed into your favourite Mexican restaurant eating seriously spicy seafood and sipping Margueritas. I'd sent an RSVP email to an internal mail alias for off-topic security community stuff the previous week and had 12 positive replies, so secured a table for 15 - in the end, there were 23 of us and we had to overflow a bit! I was also treated to yet another round of "Happy Birthday" - in Spanish this time - by the staff, and a little creme caramel dessert with a candle in it.

A surprise guest was Cynthia Milton - former Sun employee, mad motorcyclist and old pal of Alec's who is currently circumnavigating the globe on her BMW; she left the UK 2.5 years ago, happened to be in California, and dropped by to catch up with folk. She's off to the top end of Canada next, before having the bike (and herself) shipped to Cape Town and riding up Africa. Alec and I agree that she needs to turn all this into a book when she eventually gets home; it's been done before, but not like this. I also got to have a chat over the 'phone with Alec's pal Adriana, and we agreed we need to catch up for a chat when we're both back in the UK.

I was hit with a hard combination of general fatigue and jetlag when I got back to the hotel, sank a pint of ale and hit the hay just before 23:00, "all Birthdayed out".

Many thanks to all who wished me well, signed cards, emailed, 'phoned and partied. You guys rock.

Update:

Photos from the conference can now be found here.

(2007-02-14 09:29:32.0) Permalink Comments [2]

Calendar

« December 2009
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
   
       
Today

RSS Feeds

XML
All
/Cooking
/General
/Java
/Networking
/Security

Search

Links

Innovate on OpenSolaris

  Read via bloglines :
British Blog Directory.


Navigation


blogs.sun.com
Weblog
Login


Referers

Today's Page Hits: 141