Liudvikas Bukys

Ed Felten discusses an interesting dispute among astronomers regarding how long scholars should withhold discoveries so they can retain exclusive access and get credit for more original papers. (Aside: As I note in his comments, while this is largely self-governing because everybody has incentives to publish, there are occasional extreme examples of scholarly hoarding, such as the decades-long embargo on publication of some Dead Sea Scroll materials.)

The security angle on this is that the dispute is about whether the Spaniards scooped the Americans by reverse-engineering a temporary name published in an advance abstract of a paper. The temporary name contained a date that could have served as an index into a telescope activity log, revealing the position of the newly-discovered object.

The lesson is that a cookies or nonces (temporary data values to be used only once) should usually, in security applications, be content-free (long, random, unpredictable, and generated with a random number generator not prone to reverse engineering itself). Structured or predictable nonces can lead to information leaks or to vulnerability to forgery. Short nonces fall to brute-force search.

I just happily discovered that GMail settings support non-GMail “From:” addresses. It’s a welcome feature for me, as I had no intention of binding to a vendor domain name ever again.

Perhaps it has been a feature for quite some time, and I just wasn’t aware of it. GMail is predisposed toward pleasant surprises without fanfare (e.g. “plus addresses” are supported too).

Network coding applied to P2P content distribution, as seen in Microsoft’s Avalanche research paper, is motivated by network performance improvement: it makes good use of available network throughput by filling the pipes with data that is useful to others, while avoiding the difficult problem of selecting what your downstream peers will need. Nodes send linear combinations of everything they’ve got, and receivers can reconstruct what they need from that.

There are interesting implications for content filterers. Previously one could argue that transmitting combined blocks (e.g. XOR a file with the U.S. Declaration of Independence, the Constitution, and today’s Dilbert) is purely an obfuscation technique for easily evading content recognizers. Now those techniques will be a basic component of efficiently using available bandwidth, with a side effect of making content recognition and filtering more dynamic and more difficult.

My blog and all of its content has moved from http://www.cs.rochester.edu/~bukys/weblog/ to
http://L.Bukys.org/
RSS. Now the world can stop

making fun of my URL.

It looks like BlogLines subscribers will get carried along for the ride automatically, though possibly continuing to use the old redirected feed URL. I don’t know if other RSS aggregators will need to be manually updated to follow the permanent redirects from the old site.

The move from MovableType to WordPress was even easier than my previous move from Userland Radio to MovableType.

Kumar, Paxson, Weaver: “Outwitting the Witty Worm: Exploiting Underlying Structure for Detailed Reconstruction of an Internet Scale Event” is a brilliant forensic analysis. Their overview:

Many Internet worms use pseudo-random numbers to scan the IP address-space. In this project, we reverse engineered the state of the pseudo-random number generator (pRNG) which the Witty worm used to generate packets. By combining our knowledge of Witty’s code with the pRNG state, we performed a detailed recreation of the worm’s spread. We were able to discover several characteristics of the infected systems, including their uptime, network access bandwidth, and number of disks. Additionally, we were able to find specific details about the worm author’s deliberate targeting of a US Military base, and determine the identity of Patient 0, the system used to launch the worm.

and there’s interesting followon discussion at SecurityFocus.

My personal log of “this could be you” security examples
here
wasn’t ever exhaustive, and tended to be university-centric.
For those looking for a thorough view, these look like good places to keep an eye on:

• Adam Shostack’s
  breaches blog
• the Privacy Rights Clearinghouse
  chronology

At some point, the frequency will overwhelm the reporters, the readers’ eyes may glaze over, data will be available but more aggregated. Right now the California SB1798 requirement plus the high public scrutiny seem to be causing improvement in de facto standards for reporting. That will level off as companies and institutions test what they can get away with.

• Do not open the thermostat. Call Facilities to adjust. A mechanic will visit twice a year to adjust it, to secure the Allen screws, and to scold you about opening it. (Note: those unsolicited visits don’t happen any more.)
  
• Wave arms periodically to turn lights back on. (Note: Many creative mobiles and lightweight origami figures have been invented, with the common feature of being light enough to catch ambient airflow.)
  

I haven’t posted a blog entry here in four months. Here is my revised blogging strategy:

• Raw:
  My personal link-blogging has shifted to
  my Furl archive
  RSS,
  which continues to be my frequently-updated repository of interesting links, annotated with clips, tags, and brief remarks.
  Though I dislike Furl’s default rendering into both HTML and RSS (del.icio.us is much more pleasant), its archiving feature is indispensable to me, and the Furl folks have listened to some of my suggestions, so I see hope for improvement.

• Rare, and well-done:
  Stay tuned, I am still planning to post occasional articles to this site. I am saving up links to content that is overlooked and deserves more attention. In other cases I’m chewing on my own thoughts and will have something original to say.

I’ve noticed that quite a few sites that I read have followed a similar trend, toward less frequent but meatier posting. There are only two high-volume bloggers that I read, plus I follow the Furl / del.icio.us / DashLog blogs of two esteemed colleagues. Everyone else gets my attention only with low quantity and high quality.

myNetWatchman’s SecCheck is a handy tool available as ActiveX or DOS executable. It dumps out a bunch of configuration detail from your system:

• Currently active processes
• Defined services
• Startup folder items
• Startup Registry Key contents
• Applications listening for inbound connections
• Applications with active network communications
• Active Browser Helper objects (BHOs)
• Installed ActiveX controls
• Module dump (DLLs) for all active applications

If you don’t mind trusting the executable content from myNetWatchman, it’s faster and easier than downloading a bunch of separate tools (fport, etc) to do the same thing.

As a former university information security officer I take particular interest in these things (this could be you):
Hacker compromises data at George Mason University – Computerworld:

The names, photos and Social Security numbers of more than 32,000 students and staff at George Mason University in Fairfax, Va., have been compromised as the result of a hacker attack against the university’s main ID server.
The attack was discovered during a routine review of system files and prompted the school to disconnect the compromised server from the network, according to an e-mail sent to members of the university community yesterday by Joy Hughes, the school’s vice president for information technology.