Liudvikas Bukys

Ed Felten discusses an interesting dispute among astronomers regarding how long scholars should withhold discoveries so they can retain exclusive access and get credit for more original papers. (Aside: As I note in his comments, while this is largely self-governing because everybody has incentives to publish, there are occasional extreme examples of scholarly hoarding, such as the decades-long embargo on publication of some Dead Sea Scroll materials.)

The security angle on this is that the dispute is about whether the Spaniards scooped the Americans by reverse-engineering a temporary name published in an advance abstract of a paper. The temporary name contained a date that could have served as an index into a telescope activity log, revealing the position of the newly-discovered object.

The lesson is that a cookies or nonces (temporary data values to be used only once) should usually, in security applications, be content-free (long, random, unpredictable, and generated with a random number generator not prone to reverse engineering itself). Structured or predictable nonces can lead to information leaks or to vulnerability to forgery. Short nonces fall to brute-force search.

I just happily discovered that GMail settings support non-GMail “From:” addresses. It’s a welcome feature for me, as I had no intention of binding to a vendor domain name ever again.

Perhaps it has been a feature for quite some time, and I just wasn’t aware of it. GMail is predisposed toward pleasant surprises without fanfare (e.g. “plus addresses” are supported too).

Network coding applied to P2P content distribution, as seen in Microsoft’s Avalanche research paper, is motivated by network performance improvement: it makes good use of available network throughput by filling the pipes with data that is useful to others, while avoiding the difficult problem of selecting what your downstream peers will need. Nodes send linear combinations of everything they’ve got, and receivers can reconstruct what they need from that.

There are interesting implications for content filterers. Previously one could argue that transmitting combined blocks (e.g. XOR a file with the U.S. Declaration of Independence, the Constitution, and today’s Dilbert) is purely an obfuscation technique for easily evading content recognizers. Now those techniques will be a basic component of efficiently using available bandwidth, with a side effect of making content recognition and filtering more dynamic and more difficult.

My blog and all of its content has moved from http://www.cs.rochester.edu/~bukys/weblog/ to
http://L.Bukys.org/
RSS. Now the world can stop

making fun of my URL.

It looks like BlogLines subscribers will get carried along for the ride automatically, though possibly continuing to use the old redirected feed URL. I don’t know if other RSS aggregators will need to be manually updated to follow the permanent redirects from the old site.

The move from MovableType to WordPress was even easier than my previous move from Userland Radio to MovableType.

• Do not open the thermostat. Call Facilities to adjust. A mechanic will visit twice a year to adjust it, to secure the Allen screws, and to scold you about opening it. (Note: those unsolicited visits don’t happen any more.)
  
• Wave arms periodically to turn lights back on. (Note: Many creative mobiles and lightweight origami figures have been invented, with the common feature of being light enough to catch ambient airflow.)
  

I haven’t posted a blog entry here in four months. Here is my revised blogging strategy:

• Raw:
  My personal link-blogging has shifted to
  my Furl archive
  RSS,
  which continues to be my frequently-updated repository of interesting links, annotated with clips, tags, and brief remarks.
  Though I dislike Furl’s default rendering into both HTML and RSS (del.icio.us is much more pleasant), its archiving feature is indispensable to me, and the Furl folks have listened to some of my suggestions, so I see hope for improvement.

• Rare, and well-done:
  Stay tuned, I am still planning to post occasional articles to this site. I am saving up links to content that is overlooked and deserves more attention. In other cases I’m chewing on my own thoughts and will have something original to say.

I’ve noticed that quite a few sites that I read have followed a similar trend, toward less frequent but meatier posting. There are only two high-volume bloggers that I read, plus I follow the Furl / del.icio.us / DashLog blogs of two esteemed colleagues. Everyone else gets my attention only with low quantity and high quality.

I had the opportunity to join GMail [beta]. My first piece of feedback to them was a request for user-defined recipient sub-addresses (e.g. using the sendmail “username+anything@domain” convention. Having that available for recipient filtering is more reliable than trying to parse numerous styles of correspondence (some list software inserts List-ID, some doesn’t, etc).

It turns out that GMail already implements the sendmail ‘+’ convention.
It works, but as far as I can tell, it’s not documented anywhere — or at least I didn’t think of the right search terms for it.

I hope that this creates new incentives for web sites and other email addressing processing software to
stop violating RFC2822 by excessively restricting the character set of email addresses.

P.S. If anyone else wants to try GMail [beta] also,
let me know;
I now have a ration of invitations too.

My home PC running Windows 2000 is finally free of Look2Me spyware.
It’s very aggressive at staying alive.
It creates an ever-changing series of DLL files.
Removing or changing its registry entries causes it to immediately rewrite them.

As I noted last week, my first symptom was unwanted outgoing connections “phone home” connections caught by ZoneAlarm, resulting in eventual loss of TCP connectivity within about 20 minutes.

The tools at sysinternals
were very helpful in seeing exactly what was going on, specificly the process monitor, registry monitor, and network connection monitor.

The removal instructions that finally worked were found at at the bottom of
VX2Finder.
Removal required VX2Finder, regedit/regedt32 (significant key has name along the lines of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian*), and Windows Safe Mode.
Once you search for the right things it looks like there are a few ways to skin this cat.

I know, I’ve been “rooted” on a weak platform, and I should stop whining and do something about being less vulnerable.

The purveyors of this are as criminal as the virus-releasers. Their damage is diffuse so they are under the radar for now.

The fact that the present solution to this is cottage-industry homegrown hacks surprises me; I’d think that the anti-virus industry would be on this. It’s evidence that they’re running further behind than ever before.

Along the way I ran across the funny remark by Rob Leathern (one of the comments attached to
a John Battelle article:

Looking at the top downloads at download.com is always interesting – typically two-thirds are adware/spyware-bundling music/video download programs, the other third are spyware removers.

I think the proportions are reversed now.

My home Windows 2000 machine is infested with Look2Me spyware.
Who knows which of our family of five attached this IE “shell extension” nuisance.
Now the question is: how I get rid of it? None of the published instructions has worked.
The vendor’s uninstaller doesn’t. (Of course it’s overly kind to call a producer of
unwanted intrusive privacy violation software a “vendor”.)
The manual uninstall directions haven’t worked either.
I know it’s still there because ZoneAlarm shows it trying to phone home.

Look2Me interacts really badly with ZoneAlarm, because while ZoneAlarm can and will prevent the frequent attempts by winlogon and rundll32 to contact 69.20.20.161 port 80, it does cause some kind of resource exhaustion that prevents any new TCP session from being establshed 20 minutes or so after a reboot.

Anybody with fresh ideas for uninstall, let me know. I suspect that people will be asking me for help for years to come as they find this page while searching for winlogon, rundll32, ZoneAlarm, or 69.20.20.161.

This all happened on a machine up-to-date with patches.
Patches and reactive measures such as virus patterns don’t change the fact that Windows is a bad platform, for even casual use.
The barriers against mischief are just too low – defense without depth.

It would be very valuable to have an ongoing head-to-head benchmarking of all the current contenders in the anti-spam industry — not just the learning systems, but the online dynamic systems as well.
Form a consortium, operate a bunch of systems (be a customer of commercial systems).
Use the same simultaneous data stream as input, and capture real-time state from the online dynamic systems (return it to the providers so they can replay what went wrong [or right]).
Publish the performance results.

It would generate good data for more research, and really useful comparable performance metrics.
I’m not sure if that would be seen as a good thing or a bad thing by
the commercial services. Laggards in the horserace might prefer less measurement.
Actually, what I think it would show is that most systems are “almost good enough,”
that all systems will soon be “good enough,” that
there’s little excuse not to deploy something,
but there’s plenty of space for distinction based on features such as administration, tunability, interface, integration.
But one would hope that performance metrics would drive the industry forward.

A SPEC effort for real-time and offline anti-spam systems!
Is anyone else inspired by the idea of a non-biased testing/evaluation consortium?