Hmmm...

My wife just told me that my complexities override my simplicities.

Say WHAT?!?

Life in the Lonely Lane

If we truly emancipate our existence from the influence of imaginary higher powers, we often find ourselves feeling not only suddenly liberated, but also very, very lonely.

Gone are the crutches of divine "purposes" and "plans" that we so often used to frame our lives in, and in rushes a formless void to... umm... not fill the space.

No longer can we appeal to an all-seeing, all-knowing, all-wise and all-present deity and ask "why" everytime life serves us a curveball; instead, we find ourselves staring blankly into the void, unable to cast blame and with nothing to appeal to.

Welcome to life in the lonely lane, where few truly travel, but where all who do, do so truly alone.

Sometimes, emancipation from God can really suck!

Too high a price, perhaps? No wonder the ancients created the gods for us to clutch to for comfort, appeal to in times of distress, and to scare us into social obedience... but at what price did that comfort come? I find myself constantly wondering how much we are truly willing to lose in exchange for a bit of comfort from the gods, or from the governments that now seek to intrude into our personal lives in order to keep us "safe" from terrorists, conkers, and all the other evils that lurk in our world.

A truly free person is a vulnerable person. The same goes for societies.

How long before we find ourselves, recently emancipated from the clutches of the gods, having to go through a similar excercise with respect to our new minders and keepers sitting on high in parliaments replacing those very gods we overthrew, asking us to again trade our precious, hard-won but eternally fragile freedom for a little bit of comfort?

Strange Security...

The US Department of Homeland Security has declared an entire state of matter to be a national security risk!

Enjoy.

http://cosmicvariance.com/2006/08/12/liquid/

RIP God

God is dead. God remains dead. And we have killed him. How shall we, murderers of all murderers, console ourselves? That which was the holiest and mightiest of all that the world has yet possessed has bled to death under our knives. Who will wipe this blood off us? With what water could we purify ourselves? What festivals of atonement, what sacred games shall we need to invent? Is not the greatness of this deed too great for us? Must we not ourselves become gods simply to be worthy of it?

-- Friedrich Nietzsche

Indeed, where do we turn once we have freed ourselves from all that we once held to be higher than us? How do we face the day, and the uncertainty of tomorrow when we have no steadfast rock?

And how should we interpret morality, ethics and values? Or even beauty and form?

Do we view our entire existence as pointless, and the world as pointlessly beautiful?

An excellent discussion of the topic and the significance of this passage from Nietzsche's Gay Science can be found at: http://en.wikipedia.org/wiki/God_is_dead. It's a good read.

Excerpt from Bruce Schneier's Crypto-Gram, 15 April 2006 (VERBATIM)

Movie-Plot Threat Contest

NOTE: If you have a blog, please spread the word.

For a while now, I have been writing about our penchant for "movie-plot
threats": terrorist fears based on very specific attack
scenarios. Terrorists with crop dusters, terrorists exploding baby
carriages in subways, terrorists filling school buses with explosives
-- these are all movie-plot threats. They're good for scaring people,
but it's just silly to build national security policy around them.

But if we're going to worry about unlikely attacks, why can't they be
exciting and innovative ones? If Americans are going to be scared,
shouldn't they be scared of things that are really scary? "Blowing up
the Super Bowl" is a movie plot to be sure, but it's not a very good
movie. Let's kick this up a notch.

It is in this spirit I announce the (possibly First) Movie-Plot Threat
Contest. Entrants are invited to submit the most unlikely, yet still
plausible, terrorist attack scenarios they can come up with.

Your goal: cause terror. Make the American people notice. Inflict
lasting damage on the U.S. economy. Change the political landscape, or
the culture. The more grandiose the goal, the better.

Assume an attacker profile on the order of 9/11: 20 to 30 unskilled
people, and about $500,000 with which to buy skills, equipment, etc.

Post your movie plots here on this blog.

Judging will be by me, swayed by popular acclaim in the blog comments
section. The prize will be an autographed copy of Beyond Fear. And if
I can swing it, a phone call with a real live movie producer.

Entries close at the end of the month -- April 30.

This is not an April Fool's joke, although it's in the spirit of the
season. The purpose of this contest is absurd humor, but I hope it
also makes a point. Terrorism is a real threat, but we're not any
safer through security measures that require us to correctly guess what
the terrorists are going to do next.

Good luck.

Post your entries, and read the others, here:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html

Movie-plot threats:
http://www.schneier.com/essay-087.html

http://www.time.com/time/nation/article/0,8599,175951,00.html
http://www.schneier.com/blog/archives/2005/10/exploding_baby.html
http://www.schneier.com/blog/archives/2006/02/school_bus_driv.html
http://www.imdb.com/title/tt0075765

There are hundreds of ideas here:
http://cockeyed.com/citizen/terror/plans/terrorwatch.html

The Friendly City of Tuttle...

... has a very unfriendly city manager!


Read this and weep.


Tut, tut... (pun intended)

April Fooled Last Week?

Too late now, but be prepared for next time! Check this wikipedia link for a list of well-known April Fool's hoaxes and jokes:

http://en.wikipedia.org/wiki/April_Fool's_Day

(Anyone who signed up for Google Romance this week: did you notice that the word "gullible" was removed from the 2006 edition of the Oxford Dictionary?)

POETS Day

I love POETS Day... It's the best day in my calendar, and better yet, it's a weekly occurrence!

"Piss Off Early, Tomorrow's Saturday"


Speaking of which... this week it felt as though POETS Day were about two days late. :-/

I Love My Job

I have a great job... I love my job...

I work with wonderful people...

I have a great job... I love my job...

I work with wonderful people...

I have a great job... I love my job... I love my job...

I do... I do...


No, really... I do...

Aggressive Heart

Angela's father suffered a heart attack on Saturday morning, and suddenly our lives changed.

A coctail of emotions: take one part sense of shock at how suddenly such a terrible thing can happen to someone so strong, add two parts relief at his survival and the promise of recuperation and one part apprehension at the prospect of bypass surgery, mix well and chase down with the hectic scramble to arrange for Angela to get to where her dad is.

How rudely and unexpectedly the fact of human mortality can intrude upon our lives!

Even when it's not a full-forced demonstration of human frailty that claims a life, a heart attack in the family really drives home a sense of our vulnerability to the tides that feed the sea of life.

Angela will be flying to South Africa tomorrow to be with her dad, but I'll be in London, reflecting on how easily everything can change... and wondering whether I really appreciate the fleeting moments we are given on this planet and with one another as much as I should.

It may be true that death gives purpose to life, but it's damn inconvenient when one has to deal with it in practice... I am just so glad that in this instance we only have to deal with it conceptually, and not with its practical implications.

Vive la vie.*

* Apologies to French grammarians the world over.

Co-o-o-o-ol Site!

Anyone responsible for writing research papers that nobody reads, or strategy papers that only idiots read, or just looking for a laugh at the expense of jargon-blasting academics, check this out:

• SCIGen -- An Automatic CS Paper Generator

• An article about the crap the authors get up to...

No blogging this weekend...

... because I sprained my keyboard.

Oh, sorry... it's because my mouse took a byte out of my bookmarks.

OK, OK... actually it's because Mithril will be going to live with family and their cats for a few weeks while Angela is in South Africa and I am in the Netherlands and Italy, and we will be staying over tomorrow night to ensure that Mithril does all the bullying, not vice-versa.

I'll be back on Sunday, as if anyone actually gives a damn.

Thank %DEITY% it's Friday!

What a week...

It started with a pulled hamstring, went on to a security debacle involving Michael Lynn, ISS and Cisco at the BlackHat Briefings, then on to Microsoft's Genuine Advantage programme getting hacked to pieces within 24 hours of release... and then the hacker world declares war on Cisco and a curse on ISS.

As if that were not enough, a reserved section of Cisco's website has been shown to be vulnerable to an attack that could display users' passwords... hackers could have been harvesting these passwords for months before this revelation hit the news. The reserved section is that part of the Cisco website where customers and Cisco certified "engineers" login in order to download security patches for their routers, VPN devices and firewalls.

Cisco immediately reset everyone's passwords upon being informed of the website vulnerability, thereby making it impossible for legitimate users and customers to download the latest patch for a serious flaw in their products... one that can lead to a router being comprehensively "0wned" by a hacker using the method described by Michael Lynn.

Nice one again, Cisco... when you're not trying to hide your head (and the heads of your customers) in the sand about crucial security issues, you go into knee-jerk reaction mode and totally overreact, effectively denying service to all your customers in Europe (and beyond).

Nice.

This is not the type of behaviour that one would expect from an IT security vendor, much less one that has visions of conquering the world.

Cisco may know how to make OK routers, but really, as a security vendor they really, truly look like twits. Not to mention that their products suck.

Gawd, I'm glad it's Friday...

And to whoever it is who said that nothing ever happens in August: where have you been?!? If this month is going to continue in its current vein, I'm outta here.

Cisco and ISS Strong-Arm Tactics

Those naughty blokes @ Cisco and ISS have tried to keep the information regarding the Cisco shellcode execution procedure under the carpet by sending out cease-and-desist notices to a large number of website owners who dared to post the presentation.

Naughty and stupid.

The Michael Lynn presentation "The Holy Grail: Cisco IOS Shellcode and Expoitation Techniques" must be made available to all who use Cisco routers and other IOS-based kit.

Currently, cryptome.org has a copy of the presentation, available from here. (Slow...)

If the Feds/spooks/lawyers have managed to intervene and you cannot find it online (it's called lynn-cisco.pdf), I have it in my possession, and will share it freely with anyone who simply asks. If enough people leave comments asking for it, I will put it up on a website and post a link here.

Better yet, leave me your email address (in the format: name "at" domain, not name@domain, otherwise you'll get spammed to death) and I'll send it to you in an email.

Genuinely Advantageous?

Anyone using recent Microsoft operating systems should have come acress the Microsoft Genuine Advantage programme... it's designed to limit the updates (except security updates) your computer's operating system and other Microsoft software can receive if it has not been proven to be genuine.

Well, it transpires that the system can be easily fooled by pasting a slice of javascript into your browser's address bar. Click the title for the page that broke the news.

In case the Feds force that page offline, here's a copy of the javascript:

javascript:void(window.g_sDisableWGACheck='all')

Of course, the intention is that you would use this information for archival and research purposes only, and not to break the law: Microsoft's lawyers are better than yours.

Nice of Microsoft to allow pirated copies of Windows to receive security fixes though... it just shows that they are finally beginning to get to grips with their responsibility as the world's prime provider of operating systems.

Ouch

Yeah, clever me...

Thought I was eighteeen again, didn't I? Well, I can inform you that I am definitely NOT eighteen anymore, or even twenty-five, and my current mode of bipedal transportation is evidence of that.

I went to a Taekwondo class last night, and it felt so-o-o-o good I forgot that I needed to look after myself after a long absence from the sport. As a result, I ignored the feint cramping that started in my hamstrings just as we were about to do some speed training... and consequently pulled a hamstring.

Ouch.

It doesn't feel too badly pulled, although I am a bit of a hopalong today... with some luck, I'll be able to train again (lightly, this time) in under a week.

Not that you care.

Ruminations on the Cisco IOS Shellcode Presentation by Michael Lynn

For the uninitiated: visit this blog on the Washington Post site for the full story of Michael Lynn's saga with his (then) employer, ISS, Cisco Systems and the organizers of the Black Hat Briefings.

In short: Mr Lynn discovered a way of exploiting certain types of vulnerabilities (known as buffer overflows and heap overflows) in Cisco IOS-based devices (routers, switches) and gaining full access (a command shell) on those devices, to the point where he could make it run programs he wanted it to run.

Previously, security researchers had believed this to be all but impossible, but Mr Lynn discovered that it was merely difficult, not impossible. His method would work despite the specific vulnerability, which means that any heap or buffer overflow vulnerability could, rather than just make the router or switch reboot, cause the attacker to gain full, administrative level control over the device.

The possibilities are ominous: Cisco manufactures by far most of the routers that forward information hither and thither around the Internet... and anyone who can gain control of a number of them could quite conceivably cut off large portions of the Internet.

Also, routers are generally not protected by firewalls, since many people believe them to be inherently secure... and on the Internet side of your firewall, it's Router City anyway.

Are you using a Cisco router for VPN encryption? Is it running Cisco IOS? Be afraid, your VPN could become completely useless next time there's a Cisco buffer overflow vulnerability on the loose.

Fear even more if you're relying on an IOS-based firewall... your ruleset could belong to a spotty teenager, one fine day.

Suddenly an old saying of mine makes a whole lot of sense: Cisco should concentrate on building routers, and leave the making of security kit to the experts.

Anyway... Mr Lynn was about to speak on this at the Black Hat Briefings, when Cisco and his employer, ISS, put pressure on the Black Hat people to pull his presentation. He presented his piece anyway, after which they slapped a gag order on him, threatened to sue him, and then settled with an agreement that he would never speak on the topic again.

Scary.

Here we have two MAJOR security vendors trying to cover up the details of a serious security issue that affects almost all Cisco's customers. On top of theat, the cat was already out of the bag after Mr Lynn had presented his piece at the Black Hat Briefings.

So, picture this: one man knows a very scary secret that could potentially bring down over half the Internet. He tells that secret to a few people at a presentation (not sure how many), and then two companies whom many customers trust to secure their networks try to stop him from telling the rest of us.

Can you smell the bullshit here? If a small number of people knew on the day, you can bet that the hacker underground would be awash with this information by that same afternoon.

But not the good guys, who tend to listen to more "official" sources of information, like Cisco Systems and especially ISS.

Also, these good guys are the people with purchasing authority (or at least influence) when it comes to the expensive networking and network security kit that Cisco sells.

Ah. The almighty dollar has spoken, then.

No wonder Cisco wanted to keep it under the rug. But their play backfired: word got around, as did the presentation, and the hacker and security communities reacted with venom: another hacker convention, DEFCON 13, officially changed their slogan to "FUCK CISCO", and I would expect that a lot of that will be happening shortly. :-)

For my part, a curse on Cisco, and a curse on ISS. We trusted you to act in the best interests of your customers, and you did THIS to us? Trustworthy, open, honest lot you are. Just what we need in infosec.

Security by obscurity... from YOU?

Guess where money from my budgets is NOT going in future.

Some cool links:

Washington Post blog with my comment
Bruce Schneier's blog in this regard
SecurityFocus article
The presentation (aargh, the lawyers got to it!)

Back to the Sweatshop

I came back from watching a Taekwondo class about an hour ago (what's with these Brits, training until 10pm at night?), and feel invigorated at the prospect of getting back into the sport after over two years of loafing about and getting fat.

Not that I don't have a good excuse: almost two years ago, I was diagnosed with myocarditis and made to lie flat on my back for almost 6 weeks. (The Sci-Fi Channel got some serious abuse during that time!) Ever since then, I have been a bit testy about going back to train, since the sport is really high-energy, and almost totally cardiovascular in nature.

The "weak heart" excuse even works on people who should be forcing me to train again.

But time for excuses has come to an end... I tip the gym scales at a smidgen under 97 kilograms, which is 19 kilos more than I weighed when I was competing in Taekwondo at a national level back in South Africa. (OK, that was about 10 years ago!)

Gym work will never get all that weight off me, because I refuse to use the treadmills, bicycles or steppers... far too boring, even when watching TV at the same time.

So, on Monday it's back to the dojang for me. I think I'll wear a white belt for the first three months, as I'm sure I will look really daft trying to act like I used to when I was on top form, jumping in the air and kicking like a turbo-charged windmill, but this time with a body not quite capable of pulling such capers off. A prayer for my hamstrings might not hurt. :-)

I am actually looking quite forward to it... you would not believe it if you saw me today, but I hold a second Dan in the sport, and can recall few times in my life when I have been as happy as I have been in a Taekwondo class. It is such a fun, energetic sport that I believe everyone should give it a go... and lazy lardballs like me who have all but given up should be forced to get back into it, even if at gunpoint.

Ki-hap!

Pace of Change

Ever get frustrated, as I often do, when the all-singing, all-dancing, all-powerful computer equipment you shelled out tons of dosh for just six months ago is described, for all effects and purposes, as "lame, loser kit that wusses out at the merest mention of workload" in all the marketing materials for the new kit?

But worse still: have you ever noticed how lame, loser-ish and wussy your kit actually DOES seem to become shortly after the new generation of hardware is released? Even running the same software, drivers, operating system, and games, the machine feels like it's slowed to a crawl.

Suddenly, 80-odd fps in Half-Life 2 with all the eye candy switched on is just so... yesterday.

But that 5% performance increase promised by the very latest CPU/graphics card/memory/mouse would just be bloody nirvana.

Those marketing droids have us all taped, and the worst thing is that even though we know it, we're powerless to resist their siren call to upgrade yet again.

And yes, this old Athlon64 FX-55 does seem a little sluggish nowadays, doesn't it?

Network Kung Fu

Hmmm... good cure for insomnia if you're not a total geek (I found it compelling reading!), but also a good story about one guy whose network kung fu was better than that of the baddies.

Scary though... who would have thought that a spotty teenager with a keyboard and a few shell scripts could potentially command an army of broadband-fed, Intel-powered, Microsoft-facilitated, idiot-owned zombie machines that could saturate 3-Gigabit-plus pipes into the Internet like they were on an accelerated-cholesterol diet?

And most computer users today still look at you blankly when you ask them whether they're running a personal firewall or whether they have applied the latest operating system patch... soon enough, governments will begin to require that people get licenses before they're allowed to operate computer equipment more powerful than a hairdryer.

I have seen the enemy, and... it's... the recklessly clueless computerized middle classes of the First World!

Run.

Fast.

Just... can't... sleep!

Aaah, the life of the insomniac...

The living hell of waking slumber at night and slumbering wakefulness that follows in the day.

Thank %DEITY% for caffeine!

Too bad they don't sell melatonin in Boot's... other stuff turns me into a zombie, proof positive that modern medical science is still mostly glorified witchcraft.

But we always knew that, didn't we?

Hello...

... anyone there?

Anyone?

Just the voices in my head, for now. At least they drown out the ringing.

More later.