Wednesday, August 31, 2011

Quote De Jour

Looking for a safe asset class today, is like a Soviet bureaucrat in 1989, sensing trouble ahead, looking for the directorate with the safest job. - John Robb - 2011

Friday, August 26, 2011

Cloud Gate at Dawn

It's been a long time since I did some tripod photography, here's an HDR photo of "The Bean" at sunrise.

Please call it the "fair market" from now on...

The value of Government regulation in commerce and other in aspects of life in the USA has been greatly depreciated by careful propaganda, called "framing", this is doing great harm, and needs to be corrected.

You CAN help... and it's easy... just use a better frame, every chance you get.

When you're about the write or say the phrase "free market", please say "fair market" instead. It's a simple and subtle substitution which puts the need for laws back into their proper place in the mindset when discussing such things.

Markets are a balancing act, they require rules in order to give the confidence required to trade without fear, but also the ability to set prices optimally, without unnecessary rules. A fair market maintains that balance, whereas a "free" market as defined by the right is one more like the wild west.

----

Notes only vaguely related to the above call to action...

1) As you might already know, any idea you have, is already on the internet, if you can conjure up the right search terms and cast the spell into Google. Such is the case with my idea for a new term, fair market capitalism.

2) There are many other frames which need to be addressed, especially "intellectual property", it would be nice if we had a place on the internet to discuss them get distribution, to counter the right-wing machinery put in place over the last 30 years. It should be fair and open discussion, with an emphasis on the desired result of getting a better framing around conversations to help us all in the long run.

Sunday, August 21, 2011

Secure Little Application Project? - Saving an idea at 6 AM


o/~~~
6AM,
wakin' up in the moning
Gotta write now
Gotta save that idea....

ok... enough of the Friday spoof


Here's an idea for implementing a secure space for applications to run in an otherwise insecure host environment, leveraging VMware, Zen, Citrix, QEMM, or a separate physical box to run applications cut off from reality, and restricted to a strange little world, where the default answer to "can I have this?" is NO.

--- copied from my WikidPad page on my laptop ---


++ Secure Little Application Project

Slap, Slip, SL?P

Write the smallest possible operating system that fits inside a virtual machine. It would make requests across the net (or some other API) for everything, thus not able to infect the host system.

Like Secnurse, the application would be in its own address space, cut off from all the normal API calls, and thus couldn't break the host.

In it's own little world, applications would run, and request resources from a host program written in something like Delpi, C++, or whatever is convinient.

It would then be somewhat easy to provide file and folder services, not being bound to the normal rules of things, and all the hidden holes that go with undocumented "features" in the host environment.

Separating the app from the host environment is a good step
Having multiple versions of the service host to chose from helps make sure the code is clean.
Everyone can implement their own, and compete for better models of things.


Host - the PC running the VM
Guest - the application
Concierge - the program that gets everything for the guest

Thursday, August 18, 2011

Yet another story about security

Recently, managed code was supposed to save computer security. I believe it solves the wrong problem, and I think this story will help explain why...imagine this bizarre scenario:



You wish to purchase a bottle of coke at the 7/11.

So you get to the check out counter, with the bottle of coke you wish to purchase.
You put yourself into suspension so that the clerk can...
  • Find your wallet, get money out, put all but $2.15 of it back in
  • Prepare your receipt
  • Wake you back up
  • Hand you the receipt

Imagine that you grew up in a world where this was normal behavior. Sure there were some dishonest clerks, but those were few and far between. Enough people eventually complained that they started a list of bad clerks, so you could check to see if the clerk was on the list before you decided to make a purchase.

Problem solved, right? WRONG...

  • What if someone tricks the clerk while you're in suspension?
  • What if they make a mistake?
  • What if they have an accident?
  • What if they just decided to turn evil, and aren't in the bad clerk list yet?

This bizzarro world is almost precisely how we do things with computers. Instead of ourselves, it's our computer account, and instead of the clerk, it's a program we're about to run.

Now... look at how we do things in the real world...

When you buy a coke at the 7-11, you hand take your coke to the register then you
  • Offer a form of payment, let's say $5.00
  • Get change and a receipt
Because you decide the form and amount of payment you offer, you decide the amount to risk. The worst that you can do is to get the wrong change back. 

The side effects are limited BEFORE you decide to make the payment.
It's immediately obvious if you have completed the transaction.
There is no possibility of bizarre side effects, like having your living room painted a Slurpee Blue because of 7/11 decided to offer a new feature.

Why not have the operating system do it's job and enforce a scenario like this...

You have a program you'd like to run
  • Make a list of resources the program should be able to access
  • Specify read, write, modify access to each those resources
  • Present the list, along with the program, to the operating system, for execution
  • Enjoy the results
Since the operating system is the ultimate provider of access to resources on the computer, it can fairly and reliably check to see if access is should be granted. If a resource isn't in the list, the program will NOT get access to it.

The difference is subtle... giving everything by default, or by denying everything by default. Windows, Linux, Mac OS, all give everything by default. Perhaps it's time to reverse that decision.


Wednesday, August 10, 2011

The truth about computer security, a military analogy


Imagine if you could only decide if you trusted a soldier or not, a binary decision, for each and every soldier in the military, at their time of enlistment.
    If you trusted him, he had full access to every weapon and resource at our countries command, until he decided to leave.
    If not, he wouldn't have access to anything.
Would it be possible to have a classification system in such a regime, when one spy could give away everything to the highest bidder?
Would it be possible to have an effective command and control system, when rank means nothing because there are no privileges that go with it?
Would it be possible to even have a country, if one loose cannon could launch Armageddon?
No, of course not... security decisions have to be much more fine grained than that... you don't trust any soldier absolutely, it would be insane to do so.
Even the tightest background checks in the world wouldn't help, because it only takes one mistake to lose everything.
Yet we have no problem with giving that soldier (or any user, for that matter) a computer and that same choice... either trust the program he's about to run with every resource at his command, or don't accomplish anything.
Until we remove this false choice, we can never have secure computing.

Friday, August 05, 2011

Today's rant against.... ATT

I spent wayyyyy to much time on the various ATT/SBC web sites (there isn't just one, and they are interlinked) trying to find a new phone plan that doesn't end up costing almost $1/minute to talk to someone 20 minutes away.

Somewhere in between various web servers going back and forth on every click, I must have crossed over the River Styx, and began a descent into HTML hell....

After my best shot at it, I bailed out and started looking for a phone number to a real person.

I eventually found someone to CALL, and got it all taken care of... whew...

At the end of the web experience, I answered a lengthy survey about the web site(s)... here's what I said to the "what do you suggest to make things better" question:

1. Unify all of the sites, eliminate artificial (sp?) separations between local and long distance, between DSL and Uverse, wired and wireless, etc.

2. Fix naviation so that the BACK button actuall works as intended.

3. Always have support links on the page, a number to call, an email address, and a place to chat.

4. Always show where in the naviation tree things are, and UNIFY that tree.

5. Make a nice grid for showing options on phone service, even if I have to scroll both directions, it's much better than trying to work around a broken back button...

This web site is like playing ZORK, except there's no place to type XYZZY to get back to a known location.