Saturday, December 31, 2005

Why we can't trust NGSCB

Microsoft is working hard to secure computing, but their approach is one of total lockdown... and doesn't handle one very big problem in the world of software... bugs.

While it's possible that they will be able to attest with a degree of certainty that a given computer is running with known hardware and known software in a known state... it doesn't handle the unknown... bugs in "trusted" applications that haven't been disclosed.

Even the most paranoid software authors make mistakes and bad assumptions, bugs will always be with us. All it takes is one small crack in the code, it your "trusted application" gets compromised. The all or nothing approach doesn't limit the actions of the code, just access to it.

Capabilities allow even malicious code to be run because you don't have to trust it. You limit your trust to the operating system kernel. This is a much smaller attack surface to defend, and one that would be common to all users, and thus get the most eyeball - hours.

Who ever wins the race to get capabilities built into a real-world system first will get to set the direction of computing for the next 10 years.

Mobile code and Security

I was searching around for a quote about things... and found this gem from Arnold J. Toynbee:
Apathy can be overcome by enthusiasm, and enthusiasm can only be aroused by two things: first, an ideal, with takes the imagination by storm, and second, a definite intelligible plan for carrying that ideal into practice.
Now, it's clear to me that we're dealing with apathy when it comes to security. Nobody really wants to have to do the massive amount of work it takes to replace a security model, and we're all willing to put up with "good enough", because we're overwhelmed with stuff to do.

I will keep trying to push both parts of the above equation... talking about the ideal, and helping to author the plan to carry it into practice. This blog is a tool in that process. I thank Doc for the linkage, it's got me charged up... and I thank my lovely bride for her support.

How to recognize to a secure OS


A secure OS is one which is immune to the threat of mobile code. - me, just now

The need for mobile code

We live in a networked world, one that we hope will remain open and unrestricted. It is necessary to secure the ends of the Internet, if we are to have any hope of discouraging the filtering of the middle as necessary for security. Thus, in order to secure a future without censorship and severe limits on innovation and freedom, it is crucial to get a foundation built which we can actually trust.

According to the DoD memo:
Mobile code is a powerful software tool that enhances cross-platform capabilities, sharing of resources, and web-based solutions. Its use is widespread and increasing in both commercial and government applications. In DoD, mobile code is employed in systems supporting functional areas ranging from acquisition to intelligence to transportation. Mobile code, unfortunately, has the potential to severely degrade DoD operations if improperly used or controlled.
Software is the distillation of Knowledge into Executable form. Thus, the sharing of software is the sharing of knowledge. We MUST be able to run other peoples programs without fear of ill consequences. This requires a Secure OS.

It's said that the only secure computer is one that is entirely unusable. I've repeated the story that the only way to secure a computer is
Disconnect it, crate it up, bury it 6 feet down in a concrete vault, and post armed guards... even then it might be secure.
Now, I know that physical access to a machine trumps any software measures, OS, etc... and thus I'm leaving this out of the scope. A typical user doesn't want to destroy is machine, he just wants to use it as a tool, run whatever programs, view whatever documents, and just get on with things. It's our job to make it happen.


A capability explicit permission to do a specific task. Jonathan Shappiro points the way:
The term capability was introduced by Dennis and Van Horn in 1966 in a paper entitled Programming Semantics for Multiprogrammed Computations. The basic idea is this: suppose we design a computer system so that in order to access an object, a program must have a special token. This token designates an object and gives the program the authority to perform a specific set of actions (such as reading or writing) on that object. Such a token is known as a capability.
The concept of capabilities has been around for a very long time, but it's not been chosen as the basis of a security model in a modern OS. The tradeoffs made during the design of our current crop of OSs didn't need to take mobile code into account, obviously things need to be reconsidered.

There's a whole lot more writing and editing to do... I'll cut it off here, and thank you for your time... here are some of the links I used to write this post:

Imagining a secure OS

I have a dream... the following will happen on or before January 1, 2010.

Bill Gates (or Linus) takes the stage, and announces a new Secure operating system. He talks about it's features, how much work it took, etc., etc. Then he does something which would currently be insane... he challenges the world to crash the machine...

He explains that to demonstrate the security of this new OS, they will run ANY program you care to submit to it via the internet, with no questions asked, and report back the results. If you do happen to manage to crash it, you'll get $1000,000, and your 15 minutes of fame.

The site goes live at the demo, and keeps running for years...

And we never worry about applications taking out the OS again.

Free the Photons!

Bruce Schneier points to a scheme by Laszlo Kish to use noise and some good solid electrical engineering to replace quantum wierdness to build an "absolutely secure" communications link. Bruce points out
Generally, if you can eavesdrop you can also mount active attacks. But this scheme only defends against passive eavesdropping.
So, here's my idea for an active attack:
  • Survey they surrounding environment for a convinient carrier source, such as a local AM radio station
  • If necessary, inject a similar signal into the cable using a passive coupling (crosstalk)
  • Insert a pair of directional couplers to cross correlate the source signal and the resultant mismatch returns from each end of the line to measure the resistances.
I'm sure that given sufficient resources, this idea could be modified to use an injected wideband noise source to make it sufficiently undetectable.

I'm intrigued by the efforts of Dr Kish, and I wonder how they'll hold up to this, and other attacks... let the vetting begin!

Capabilities in 2010, or bust

Musings at 3:45 AM...

I'm sitting here, wondering just what it takes to change the world. My goal is simple, to get a secure operating system written by 2010. I'm firmly convinced that Capabilities is the way to get there...

Just how much effort does it take to change the world? I've heard that it's as simple as refusing to go along with indifference, which I suppose is possible if you happen to be right at a tipping point. If you're not that lucky, I assume it takes more work. Maybe you have to find the tipping in progress and help it out a bit...

My challenge is to overcome my own bad habits, work within my limitations, and muster the forces required to research and develop a capabilities based security model layer to replace the access control lists that currently handle the security needs of pretty much every computer out there.

I'm willing to make some tradeoffs, of course...
#1. I don't expect to be able to boil the ocean, so I just want to make something available, and let the market decide if it's a good idea
#1a. So I have to make something that's usable by the leading edge
#1b. I have to justify the effort required to switch

#2. I don't expect to write this myself, because I'm just one guy... and I'm not a programmer

#3. I'm willing to accept help from everyone

Now... here's why this stuff is being written instead of me getting some sleep.

We've had yet another hole in Windows, which threatens everything... we'll do what it takes to patch the hole, and go back to sleep... a reactive behavior pattern which doesn't actually fix the problem. This drives me nuts!

Its a tragedy, and we're all players... it's time to get off the merry go round, and actually do something different... we need to be proactive, and explore real solutions.

How do you know you've got a secure OS?


When you can run ANYTHING on it, at ANY time, with NO FEAR.

If you've got a secure OS, you'd be willing to take a CD from any random person on the street, stick it in, and run the damned thing because you know your OS will only allow it to do exactly what you've specified, and nothing else.

If you've got a secure OS, you know that NO application can ever take over the OS, unless you explicitly given it the capability to do so, and haven't revoked it.

If you've got a secure OS, you never have to run a virus scan again, EVER.

If you've got a secure OS, you can just get your work done, and get on with life.

The operating systems we're all using including Windows, Mac OSX, and Linux all are based on some form of username/password with access control lists... which was great 20 years ago, but it's time to move on. We need to put forth the effort to get Capabilities out of the lab, and on to our servers and desktops.

We need to LEAD the world, and make a quantum leap forward (ouch... cliche') in security... and this, I think, is the way forward.

I ask every one of you for whatever help you can give to make this happen. I'll do what I can in return.

Thanks for your time and attention.


Friday, December 30, 2005

Security gets another 15 minutes of attention

They've found yet another hole in the current leading OS. (Windows in this case, but that doesn't really matter in the meta) We're going to give security it's 15 minutes of fame... then promptly go back to sleep again.

We all have short attention spans, and some of us even know it. What's needed is a FIX for this problem... an honest to goodness SECURE operating system, one that withstand even the onslaught of the brightest hackers with millions of funding, because that's the only thing that will actually end this mess.

I've read (and believe) that Capabilities based systems have been mathematically proven to be unbreakable. This is exactly what's needed in the long term. I know it'll take years to get it out of the lab and into our PCs... but damnit... we need it!

I hope this sinks into at least one other person's head.... we need Capabilities based OSs.

Thanks for your time and attention.

Wednesday, December 28, 2005

It's the Ends, not the Means

I recently wrote a about the nature of the internet. There's a middle ground between too much emotional reflex and too much analysis... and it's an unhappy valley in the middle... where that post landed.

Bob Betcalf wrote in 1998
to respond to the "Death" of the Internet:
As I tried to explain in New York, the Internet is distributed in several dimensions. And one of the Internet's beauties is that it can evolve separately at many points along these dimensions. And evolve it does.
As with any complex system, there are tradeoffs made. Those tradeoffs may become unacceptable with time as the costs that were balanced shift with economies of scale, new technologies, etc. Most of the problems people associate with the Internet are actually problems at the ends of the network, not the means.

Email, for example, was created to allow Academics to send documents to each other. The cost of authenticating the source of a message was considered prohibitive, so it was left out of the SMTP protocol. Now that we have an Internet that is no longer limited to an enthusiast audience, the cost of authenticating the sender is probably far less than allowing the protocol to remain unmodified. I expect some form of authentication to take hold in the next few years. This is one of the many facets of life touched on by the Indentity thread that Doc and others talk about on a regular basis.

The underlying network doesn't need to change to allow a new Email protocol. Just as with most other "problems" with the internet, it won't take a complete replacement to fix things, just work on the affected components.

Internet 2, and Web 2.0 might be nice labels for collecting innovations, but they are generalizations at best. A set of tags to help associate things with, but not specific enough to warrant being a standard.

Technology keeps getting better... if we can keep the uninformed away from policy, we're going to get more and more value from the Internet for many years to come.

Thank you for your time and attention.


Sunday, December 25, 2005

The Internet isn't broken, but it is misunderstood.

The folks at MIT's Technology Review assert that The Internet Is Broken and proceed to tell all about the wonders of the MIT project to create a new, better internet. Since I'm suitably offended, and have the free time, I will now proceed to pick this apart as my own way of calling bullshit.

The Internet is a set of applications on top of some well defined layers.
The tone of the article is that the Internet is a monolithic whole, and must be completely replaced. This is a Boil The Ocean view of things, and completely misses the point. The entity commonly know as The Internet is actually a simmering pot of stew on top of a few well engineered layers. The strength of the Internet as a whole is that nobody owns it, and anyone can improve it. It's important to know which layers are responsible for which actions if you want to have an intellegent discussion about making changes, which most pundits seem to lack, or are willing to gloss over to support their cause de jure.

IP - the Internet Protocol
A lot of people think of the Internet as a place, a pipe or other things... it's really just a protocol.
A well engineered protocol that has stood the test of time. The base philosophy is one of doing as little as possible, but no less. The ONLY job of the IP layer is to get a packet from its source to its intended destination address. Just as when you drop a single postcard in the mail, you have a reasonable expectation it will arrive, but no guarantee, the same is said for Internet Protocol packets.

Note: There are some safeguards built into IP based on the lessons of experience. They help avert most of the stupid meltdowns that can occur. For example, because IP is a forwarding protocol, one of the most basic problems is that of an infinite loop. To prevent this, all routers (computer nodes that process IP packets) are required to decrement the TTL counter that exists in every IP packet. If the value of the TTL counter reaches zero, the packet is discarded. It's a simple and very effective means to prevent infinite loops.

Now I could continute into a long dissertation about the other layers... but we'll skip that.

It turns out that Bob Metcalf has already done the work for this post.... back in 1998 he wrote Is the Internet Dead go read it.

Tuesday, December 20, 2005

Software is never done, either

Doc points out speechs and products aren't ever "finished" in the traditional sense. This is due to the contracting timeframes available. Back in the days of vellum (made from animal skin, literally "the word made flesh"), you had to VERY carfully consider what you were going to do, with almost no chance for correction. Years to produce a work were common, as well as some things that were to be published only after the death of the author. It's a far different world we now live in, with blogs read daily, which even outpaces the heroic efforts of the victorian era Post Office for correspondence.

We just don't have time to "finish" something. The era of having one acknowledged genious per topic has passed on with the increasing specialization and amateurization of knowledge. There are many who can now be an expert in a field outside of their profession. Blogs and the live web make this possible on a scale previously impossible (or impractical). Because the knowledge is distributed in this manner, it's necessary to spread out the consideration and editing, which is what we're all doing these days.

In the world of programming, this is reflected in the trend towards open source, and the recent emphasis on making everything available online, even the currently untested buggy development version just as it comes back in to the SVN revision system. Things will be less polished, less "professional", but of far better quality overall than they have in the past.

Change is the one constant in the universe, and we're all learning to deal with its new ramifications as things get more interconnected.

Thanks for your time and attention.

Thursday, December 15, 2005

Useful Abstractions

Michael paraphrases Doc

The URL = an abstraction of...
The IP address = an abstraction of...
The MAC address.
The purpose of abstraction is to move dependencies. This allows specialization, which then allows economies of scale to do their work. When we use an abstraction, we're ceding some control, in order to simplify our lives.

It is important to keep in mind that the dependencies still exist, and need to be managed. We, the technicians and engineers of the world do just that, which is why we get paid the big bucks, right? We're part of the cost of abstraction, which everyone accepts as part of the bargain.

Now, in turn for paying the costs, lets look at the nature and benefits of the abstractions, in reverse order.

The MAC address
The MAC address of network adapters is a useful abstraction of a complete computer or hardware device, because things get moved or upgraded. Imagine if you had to have a wiring diagram for every single pin of every wire in your company in order to do anything. You'd always be using some form of wire tracer to track down problems. MAC addresses free us from the constraints of having to map and manage every physical connection.

The IP address is a useful abstraction of the MAC address, because connections shouldn't require a specific route or knowledge of the network.

You (or your computer) shouldn't need to know the exact circuit path necessary to get data to another computer. Just as a mail address allows anyone to send mail to any address in the world, an IP address serves as a unique identifier to allow a message to find its destination anywhere in the world.

Note: One thing people forget about mail is that there is no security when it comes to the source address of mail. (AKA the Return Address) This tradeoff has been accepted since the inception of public mail services, and is one of the driving forces behind mail fraud laws, etc. This fact is also true about IP packets, and I suspect it will always be true for any store and forward system for sending data.

The URL is useful an abstraction of The IP address, because content shouldn't be tied to a specific server or service.

Now this does skip a layer or two, but is very useful as well. The nature of the URL allows specification of a protocol, server and filespec by name. A uniform set of parameters allows one to access a document via across 3 namespaces in one fell swoop. It doesn't matter if its Gopher, FTP, WWW, RSS, or something completely new, it still can be used as the protocol. It doesn't matter where the server is, the server name leads the way. It can be buried 3 folders down, or can be part of a RESTful address, it doesn't matter... All of this glorious complexity can get put into one URL, and let the tech's worry about the rest.

This brings us to the focus of this posting, what's the next useful abstraction. How does the world work, or better yet, how do we want the world to work?

Here are a few themes and suggestions that come to mind:

Usernames are how computers abstract us, because computers shouldn't be tied to specific people or companies.

Think about it... if everyone had their own PC, and could never share them, there wouldn't be a need to have passwords. As computers moved out of the labs, and became multi-user, it was necessary to find was to abstract people so that the computer didn't have to track each capability for each and every possible person. It's the need to decide what capabilities are given to which people that resulted in the creation of usernames, passwords, and that whole level of abstraction.

When a person has only a handful of accounts, it is reasonable to assume they can manage them. With the growth of services on the internet, it's possible that users might need to have rights assigned to them on computers they don't even know about. It's time for another level of abstraction, which is what the identity folks are all talking about.

Indentity is how we want to abstract our relationships, because we shouldn't be tired to direct personal relationships with each and every server or service on the internet.
Anyone with a resource made available to the internet immediately hits the brick wall first encountered when computers made it out of the lab, the need for relationships. To limit use of the resource, a relationship is imposed, often carrying with it an assymentrical relationship of power, and frequent possibilities for abuse. The only identity we currently have on the internet is the one that we manage to assert through the filter all the imposed relationships.

When someone runs a service, such as a site that allows comments, spam rapidly rears its ugly head. To limit the spam, the usernames and registration get forced on users. Often the signup requires us to disclose far more than is really necessary, but is a tradeoff most make. All of this, just to really say to the service... yes... this person is real, and not a spammer.

There was a joke RFC in the past few years about adding an "Evil Bit" to packets on the internet. A working relationshop system is part of the way to implementing a "Good Bit" for the internet instead. It's a way of asserting identity, and preventing spam. Repudiation, reputation, and all sorts of other terms float into the discussion, but it's really all about trust. Trust that is, and always will, be destroyed by those who game any system.

Usernames worked for a while, but with throw-away email, and other contermeasures, they are rapidly losing their effectiveness. For this reason, the abstraction we'd like to define as "Identity" will happen, and our conversations will hopefully lead developers and the rest of society towards OUR version of this abstraction, and not some corporate DRM 1984 world that might otherwise evolve.

Tags are a general purpose abstraction for categorization, because we're not all reference librarians, and it's good enough.

There are some who have big problems with tags, because they're not specific enough, and they might overlap, and they tend to be a bit messy. What they do for us is allow us to categorize things for the task at hand. On Flickr, they help locate pictures of kittens, elsewhere they help categorize knowledge, websites, RSS feeds, etc. Tags are gritty and human, and just functional enough to get the job done. They serve as useful abstractions of the subject at hand.

Thank you, gentle reader, for your time and attention.

Friday, December 09, 2005

MoonRise at Navy Pier

Originally uploaded by --Mike--.
I took this photo earlier this year at Navy Pier, here in Chicago. It's a sequence of pictures I took using a tripod, with the camera set to interval. I combined them in Paint Shop Pro to the image you see here.
It was a nice evening, with some pleasant conversations explaining to others what I was doing and why... I'm pleased with the end result.

The frames are about 3 minutes apart.


Over at Bedazzled, the author states he's not going to filter his opinion out of his blog.... and I say AMEN!

He does indicate that he's on the left end of the scale... which is fine for him. I'm not on the scale myself. The linear scale of "Liberal" to "Conservative" doesn't work for me. I've got a vast range of opinions about things, that are always shifting as I learn and grow, and certainly can't be confined to measurement in any given dimension, let alone a single dimension.

I'm a believer in individual rights, for the most part, but not always.
I believe in limiting goverment, but not always.
I believe in separation of Church and State, but still think a prayer is a good thing.

It's not a black and white world, nor are the mere shades of grey between sides anywhere near enough room to even begin to talk about all these issues.

Cut all of the crap about Conservative/Liberal... it's an artificial dimension, with no depth. Consensus is what really matters, when many become one...

E Plurbus Unum

We're all many dimensional, and always growing. Let's cut the divisive red/blue crap and get back to doing what we really need to do to get this country going in a positive direction. Let's all talk, and converse, and learn to understand and share our many dimensions.


I got Flickr

Doc pushed me over the edge, and I've gotten a Flickr account. I uploaded 900 or so photos yesterday. It's a folder of pictures I gathered when I was getting ready for my first Around The Coyote art fair in 2003.

In the past 8 years I've taken well over 60,000 digital photos. People assume I do nothing but click the shutter all day long, but it's not really true. When it costs anywhere between 20 and 50 cents per exposure, you tend to think before you click... for me an addition exposure is essentially free, so I tend to take multiple views of things, and experiment quite a bit.

The real cost of a good set of pictures is the price of the metadata. The cameras all embed quite a bit of info in the photo, the kind of things Ansel Adams and his generation had to write down and keep track of by hand. It's only now beginng to dawn on me how nice it is to have this info, and the computers in the cameras have been doing it for me all along.

Flickr uses this metadata in a way I hadn't imagined... it grabs the original exposure date, and uses it to build a calendar of the photos I upload, automatically! It's VERY cool.

So, now I can refer to all of my online photos: as well as the cool set of shots I got on September 3, 2001. There is also a calendar based on the upload date, which for me is far less important, but might not be for others.

It's amazing what $25 can buy these days. I'm very pleased with the results so far.

Now, to add more value, I need to add more tags, which will take a lot of time, but I expect to be worth every minute as well.