MITM on jury duty

Yesterday I reported to my local Hall of Justice for jury duty.

They offer free wireless for jurors waiting to be called into the court. In the vicinity was the state-run access point, and a host-to-host wireless network calling itself “Free Internet Service”.

What could that be but a man-in-the-middle attacker interested in packet capture? It could have been one of the other jurors. Or a box somebody placed deliberately close to the known public access point.

Due to security fatigue I didn’t even try to gather any information on the rogue. Now my conscience is catching up to me, telling me I should at least tell the Hall of Justice folks, in case this MITM is a permanent installation.

lcms speed

Note for other open source color management system users searching for more transform speed from the LittleCMS library:

Turning off the one-entry cache cuts 40% from runtime – unless you’re transforming large uniform blocks for which a one-entry cache is actually suitable.

Eliminating the general-purpose byte packing and unpacking functions and replacing them with inline encoding-specific equivalents cuts another 15% of runtime.

Compound savings: 49%, or 2x speedup, which is what someone claimed on an lcms mailing list once without providing the code.

Future work: The cached performance could be made better by observing that all the thread-safe memory locking I find in lcms-1.17 is unnecessary if you assume that thread-local caches on the stack are just fine. Forget the locking, and inline the cache comparisons. I had no need to implement it though, so this is only theoretical.

[If you found this by search engine and it helped you out, drop me a note.]

Prediction for 2008: Service providers avoid straightforward DTV answers

Like many others in 2008, I am cheap, don’t buy TVs very often, subscribe only to basic cable, and have questions about the impending February 17 2009 shutdown of analog over-the-air TV channels.

My prediction for 2008 is that confusion will reign because part of the answer is provided by cable, satellite, or telephone service companies, and their incentive is to maintain confusion because that’s an effective “up-sell” technique.

The simple story is that over-the-air (OTA) analog goes away, replaced by OTA digital. For OTA consumers, it’s just a matter of getting an ATSC tuner (built-in to a newer TV, or standalone with a government-subsidizied coupon).

The part that is different for every locality and service provider: what to do with analog TVs on analog cable systems. For every locality there is a simple cable story: the cable company could tell you their plans for analog channels, e.g. “We’ll continue to carry local channels for our analog customers through [let’s say] 2012.” But the cable companies will generally avoid that story. (I tried to extract it from TWC and they failed the first test, answered the wrong question entirely.)

Why would they tell you a simple “analog on cable is OK for N years” story when they would rather upgrade you to a new digital cable set-top box, and while they’re at it, try to replace your phone too?

So, even if it’s true that analog cable customers will live just fine on the analog cable plant for quite some time, you’ll only see it either in extremely fine print, or omitted as a choice at all in most promotional materials.

Now, it is also true that for bandwidth utilization reasons, the cable companies would like to convert their cable plant to all-digital. If they somehow manage to convert all their cheap $8/month basic cable customers to some fatter bundle, all the better for them. The good thing is that digital OTA tuners will provide competition, so the cable company had better have something that competes with free digital for cheap customers, or they’ll just lose the low end altogether. (The only reason I have basic cable is because my analog OTA reception is poor. Once digital OTA becomes cheap (it’s not yet, standalone tuners are too expensive), I’ll be a digital OTA customer unless cable really makes it worthwhile not to switch. It’s a race to the bottom for my dollar.)

Once they start losing a significant number of customers to digital OTA, then they will start publicizing cheap basic analog and constructing cheap basic digital. But they will wait as long as possible.

Talk Like a Pirate Consultant

September 19 is Talk Like a Pirate Day. It must be ever more popular, because one Talk Like a Pirate Day web site and its text translator died from overload. Meanwhile another Pirate Speak Translator offers text like:

I’ve been helpin’ t’ orrrganize a rrregional securrrity conferrrence, th’ second annual Rochesterrr Securrrity Summit, schedul’d ferrr Octoberrr 3 and 4, and a bottle of rum! Good prrresenterrrs, both business and technical trrracks! Some seats be still open, rrregisterrr now!
Gar, where can I find a bottle o’rum?

2007 Rochester Security Summit

I’ve been helping to organize a regional security conference, the second annual Rochester Security Summit, scheduled for October 3 and 4. Good presenters, both business and technical tracks. Some seats are still open, register now!

Vote but Verify

Local Rochester-area political blogger Thomas Belknap recently railed about HR 811, interpreting its requirement of a voter-verified durable paper ballot as a small-minded banning of an attractive future of modern networked reliable electronic voting machines. I could not resist posting my disagreement into the comments on his blog, and perhaps I am going to convince him, as he edited out my most provocative snide political shots and left in some of my more reasoned comments.

As a security person, I must point out that if machines do not produce a reliable auditable record, then all you have is a fait accompli fraud-blessing device. That’s the short version of the security argument.

I’m willing to go along with NIST that, as of today, all-electronic systems are an important research topic, not a settled present alternative:

The approach to software-independence used in op scan is based on voter-verified paper records, but some all-electronic paperless approaches have been proposed. It is a research topic currently as to whether software independence may be able to be accomplished via systems that would produce an all-electronic voter-verified, independent audit trail (known as software IV systems).

A durable paper ballot requirement is not a retrograde goof, nor a rejection of e-voting. It’s a reflection of current reality, that all-electronic e-voting implementations are asking for trouble. Codifying an allowance for all-electronic systems today would just open the door to arguments about what’s good enough cryptographically, arguments that will be settled by folks even less competent than our representatives. Codifying the well-understood voter-verified paper audit trail as a requirement puts an immediate crimp in the shopping spree for fancy-looking machines that are rotten inside – a shopping spree that will continue if this law isn’t passed, creating an ever-larger lump of sunk investment in pretty bad technology.

A paper audit trail today isn’t a rejection of e-voting, it is progress toward a more robust implementation that in the future will, no doubt, also include other alternative durable auditable records.

For credible background on the security geek consensus, see the above-quoted NIST draft, the US ACM policy recommendation, or Bruce Schneier (University of Rochester physics alumnus!). Or anything by Ed Felten or Avi Rubin on this subject. In this case, our representatives seem to be listening to informed advisers.

Regarding politics: All parties’ oxes have been gored at one time or another by voting fraud or rumors of fraud, so this does seem like an issue on which a consensus could form.

blog backup

I participated in the public beta of, and since then the service has gone live, and, for now, free. Signing up is relatively effortless, and now I have an extra up-to-date copy of my blog content without any administrative effort on my part.

They don’t back up image content yet, but they’re working on it. I haven’t tried using their restore feature to migrate from one platform to another, but it looks like that would be a lot easier than my previous export/import from Radio UserLand to Movable Type to WordPress.

Systems programmers help people

Way back in the 1970s, I attended a banquet at RIT, for incoming or prospective students. My assigned seat placed me next to another intended Computer Science major.

I had cut my teeth in high school on some Basic programming (on a Xerox Sigma mainframe and a Wang 2200B), then self-taught myself APL and IBM/360 assembly language (paying for access at UR to an APL terminal, and editing object decks on the keypunch to save money while debugging assembly language programs).

My dinnermate at the banquet had had no such experience. So in choosing her major and concentration, she had to depend on the layman’s descriptions she heard during a college visit. You see, application programmers write programs that actually do things. Meanwhile, system programmers work on the operating system.

What’s an operating system? Well, it doesn’t do anything itself, it’s just there to help people write application programs.

Why did she choose Computer Science with a system programming concentration? “I like to help people.”

Goodbye IE6

My installation of Microsoft Internet Explorer 6 (version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519) has developed the unfortunate problem of frequently (about once a day) trashing its ability to render correctly: painting its window contents at various places all over the display, rendering in the wrong font, leaving turds all over its window while scrolling. Once it starts I have to kill iexplore.exe to make it stop. I believe it is fully-patched.

In my mind the appearance of this problem is correlated with the appearance of two new aggressive JavaScript interfaces: The much-improved BlogLines feed selector, and the very-irritating Yahoo Finance streaming quotes feature (which slows down every refresh even when set to “off”). That may just be coincidence.

It does mean there’s some serious undiscovered memory corruption going inside IE6 somewhere.

It’s a good time to switch to FireFox and/or IE7.

Yahoo’s Browser-Based Authentication service

Yahoo’s release of open access to its BBAuth authentication service (see also here and here) is a big step forward. It’s just the thing for many simple applications. It’s not as good as a user-controlled cross-provider identity scheme, but the emergence of a few real high-volume competing web services will help drive us there.