March 27th, 2006
|03:04 pm - Of Martial Arts and Volleyball|
My dojo has had the move its mat space several times as Dartmouth renovates Alumni Gym. The mat in now in Leede Arena.
Friend and officemate Sean Padgett, head instructor of Dartmouth Tang Soo Do, which shares our mat, has told me that the Dartmouth PE office has rescheduled their training sessions to allow the volleyball team exclusive use of Leede Arena. Leede Arena has three basketball courts. The volleyball team needs only one, and there are curtain to keep the courts divided, but they want the entire arena to themselves, since letting anyone else use it would "ruin the atmosphere." Padgett Kyosanim has also been forbidden from talking to the volleyball coach to work out a deal.
This has made it impractical for Sean to teach his class— the new time just doesn't fit into his schedule. This may force him to withdraw Tang Soo Do from the PE offerings, though it would still meet as a club.
I don't know what kind of atmosphere the volleyball team needs, but we've had to put up with an aerobics class next to the mat during our scheduled class time. It's hard to be zen and meditative with music blaring only twenty feet away. It's hard for Sensei to instruct the class over the the aerobics teacher shouting into her microphone. But Sensei has kept in touch with the aerobics instructor and we've managed peacefully coexist. The idea that the volleyball team needs three basketball courts to itself for "atmosphere" seems absurd, since I've mastered several levels of techniques while rip-offs of my favorite techno songs effuse my atmosphere.
But it gets worse than that: Sean didn't find out about all this until a student of his, while registering for PE credit, noticed that the class had been rescheduled and asked Sean about it. After the PE office ignored Padgett Kyosanim's repeated requests for information regarding the future of his class's meeting space.
It gets worse still. If the College does not complete construction of the new martial arts space by summer, there likely will be no place for the various martial arts classes to practice over summer, since Leede Arena is completely rented out for summer camps. Dartmouth expects to have it completed by summer, but I've found a good rule of thumb for Dartmouth projects is to add two years to the expected end date.
So, it would be helpful for Dartmouth Tang Soo Do if the volleyball team could learn to share.
March 22nd, 2006
|04:56 pm - This Iteration has ended! On to the Next!|
Last night, Andy, my landlord at the old apartment I shared with Jess, told me he's decided to cancel my lease and return my deposit. In other words I no longer have to pay $850 a month until September for an apartment I never use!
With this, I will now be ending austerity measures and declaring an end to that chapter of my life. I can now begin my life anew.
Current Mood: chipper
March 3rd, 2006
|12:43 pm - The Ups and Downs of Apple Security|
SearchSecurity reports that Apple has released patches for fifteen security flaws.
Now the large number is nothing to get excited about. Microsoft's monthly patch updates occasionally contain a large number of patches for low risk vulnerabilites. But there are two interesting points to the story. First, Apple has given details about the flaws to the public. Apple used to quietly release security patches without informing users what the risks were. For your average user, that isn't a problem, but security professionals need this information in the course of their daily work. Mac may have a small market share, but it also has niche industries, like graphics design, that might consider this information critical to their operations. With this batch of patches, Apple has given plenty of details about the flawed components and how dangerous they could be.
The second thing to notice is how dangerous they could be. Many of the flaws are esoteric and would take a rather sophisticated exploit. For example, "File servers on the local network may be able to cause Mac OS X systems to mount file systems with reserved names" allowing an attacker to "launch malicious code from file servers." Others are more serious. A few of my favorites:
- "In Mac OS X v10.4 Tiger, when an e-mail attachment is double-clicked in Mail, download validation is used to warn the user if the file type is not safe. But certain techniques can be used to disguise the file's type so that download validation is bypassed." This flaw is somewhat esoteric to exploit, but hackers have been using a similar flaw in Windows succesffuly.
- "A heap-based buffer overflow in WebKit's handling of certain HTML could allow a malicious Web site to cause a crash or execute arbitrary code as the user viewing the site." In other word, if you visit the wrong website, you get infected with a virus. Just for visiting. The obvious solution is not to visit a malicious site. But consider your own web browsing habits—can you vouch for every site you visit?
I consider these vulnerabilities extremely critical. And Secunia agrees with me.
When two malwares appeared last week to exploit Mac OS X flaws, many Mac users were quick to dismiss them. "It's not a real worm because it requires user interaction." Or my favorite, "Sure Mac OS X has flaws; everything does. But it's still safer than Windows!" I argued that my fellow Mac users were missing the point. The flaws are there, and now hackers have started paying attention to the Apple platform. Mac users need to start taking security seriously, because they're year behind Windows users on this road. I said it was only a matter of time before someone finds a critical flaw in Mac OS X, and if the hackers are watching, they'll exploit it.
I didn't expect Apple to bolster my argument so soon. But I know an extremely critical flaw when I see one. I've been swiping all my friends' Macs and forcing them to run software update. It's time for Mac users to show that famous solidarity and start doing the same for each other.
February 24th, 2006
|12:34 pm - Pollution Riots in China|
Here's a good "foreign" concept: pollution riots. From Stratfor (262637):
In the rapidly industrializing sections of China, this dynamic has taken on political overtones as well. The term "pollution riot" has been coined to describe uprisings in small cities and villages, with residents protesting over chemical spills, leaks, eruptions and other mishaps. For example, a three-day riot last July in Xinchang, in Zhejiang province, led to the shutdown of a local factory that was dumping untreated effluents into the area's river. For locals in such places, pollution is about much more than smog or a ruined river. It is also a symbol of a greater and intensely personal set of complaints -- about corruption, inequality and social changes -- that has dramatically altered their lives and their views about their society, their country and the safety of their families. The "pollution riots" are not started by environmentalists, and they are not about the environment per se -- but pollution is a visible outgrowth of the issues that spark the protests, and it is quite tangible in these communities.
The local officials who are targets of the public's rage are viewed as consciously trading clean air and water for rapid economic growth and, by extension, their own personal prestige and wealth. Increasingly, Chinese citizens are letting it be known that they do not approve of this trade.
I knew the China had a major pollution problem, what with trying to support a quasi-21st century economy on coal. I didn't know that "air and water in some parts of China are so polluted that they can scarcely support life." But, if pollution is that bad, I guess pollution riots make sense. I don't think America has ever seen anything like that, even with smog alerts that mean children can't play outside and a river in Ohio the caught on fire. Either Americans are really laid back or China has a lot of problems such that even pollution can spark a riot.
February 22nd, 2006
|12:53 pm - More in Apple Security News|
I tried to go easy on Leander Kahney. He dismissed the recent Mac worms, but his Cult of Mac blog seemed to honestly examine the threat at least. Then today he wrote "Mac Attack a Load of Crap". In it, he gives the litany that any Windows user or security professional would give:
Mac security-threat stories are annoying, he said, because they play off misconceptions -- held with a fervor bordering on the religious -- that the Mac platform is inherently more secure than Windows. Not so, he insisted. Microsoft has done some stupid things that exposed its customers to unnecessary risks compared to Mac users. But all systems are theoretically vulnerable, so it's inevitable that the Mac citadel will eventually be breached.
The Mac has had no viruses to date, he said, primarily because of its small market share. It's got a superior track record compared to Windows, but it's not invulnerable; rather, no one has bothered to spend much time trying to attack it. Now that hackers are taking more notice, life will get harder for Mac owners. He suggested I tackle this "wake up call" in this column.
He told his fellow Mac users to go back to sleep.
Last month, there were four "massive" virus attacks on Windows, according to Commtouch, an antispam and antivirus vendor. Indeed, viruses are now so aggressive, they routinely outpace attempts by antivirus companies to distribute protective signatures.
This state of affairs is now so common, I hadn't noticed -- and I work for a technology news site. "Virulent computer virus infects millions worldwide, other non-news at 11."
These Mac "threats" are only news because of their novelty, not the threat level they pose.
Kahney has shown himself to be remarkably out of date considering that he works for a technology news site. "Virulent computer virus infects millions worldwide" is so 2005. These days, virus writers are after profit rather than downing a bunch of machines. Windows viruses aren't outpacing antivirus signatures; they're moving slowly and attacking specified targets rather than anything with an ethernet cable. They're keeping a low profile so antivirus companies have problems even finding them. The idea that Windows viruses have gotten super-aggressive is the fantasy of a man who hasn't had to consider real security issues before.
Worse, however, is Kahney's reaction to a flaw in the Safari web browser. Safari mishandles metadata included in ZIP archives, allowing a hacker to disguise malicious code. If a user downloads a ZIP file from the web, Safari will automatically open it and run any malicious code it contains. Further, there are ways to force Safari to open a ZIP file wihtout user input. Kahney is unimpressed.
As for the Safari hole, it's a vulnerability, not an exploit, and there are probably dozens of these in OS X, maybe more.
The same is true of Windows and other platforms -- there are dozens of potential ways in, according to the SANS Institute, but a vulnerability does not an exploit make.
This paragraph floored me. It's a vulnerability, not an exploit. This is the worst way of finding a silver lining in a cloud. It's like saying an unguarded section of an army camp is simply an unguarded section—that doesn't necessarily mean the insurgents have snuck in. It may be true, but if you don't get on that in double-plus time, insurgents will sneak in.
And Kahney, having read the run down about the latest Apple worms and Safari vulnerabilities, should have noticed certain little details.
Also, I'm not going to turn off any preferences that make my daily computing habits any less convenient (the browser takeover is protected against by disabling the "Open safe files after downloading" preference in Safari).
The smuggest of smug Mac users is right: the platform is more secure, and these new security threats are no more threatening that a paraplegic kitten.
The Safari flaw is the sort of vulnerability malware writers looks for. When asked whether a worm is possible, Sophos' Graham Cluley wrote "I don't think yet that we're seeing the intensity of hacker activity on the Mac platform that would suggest that this is likely. My feeling at the moment is that the Mac OS X malware we are seeing is being coded by a small number of individuals who are doing it as a proof-of-concept, an intellectual exercise if you like."
I agree with his assessment. But the only assurance he can offer is the good intentions of the people looking for Mac holes. This is a real flaw that could see a worm if someone puts forth the effort. The Safari flaw allows automatic code execution, making it wormable. I don't think a worm is on the horizon, but if one is, are Mac users prepared to face it?
Leander Kahney writes the Cult of Mac blog, He's a expert an the Apple World. If he doesn't see the threats, Mac users could become this year's major chink in our cybersecurity.
February 21st, 2006
|02:47 pm - Ensign Ricky|
You are An Expendable Character (Redshirt)
|An Expendable Character (Redshirt)
|James T. Kirk (Captain)
|Leonard McCoy (Bones)
||Since your accomplishments are seldom noticed, and you are rarely thought of, you are expendable. That doesn't mean your job isn't important but if you were in Star Trek you would be killed off in the first episode you appeared in.
Click here to take the "Which Star Trek character am I?" quiz...
|12:25 pm - A Brave New World for Apple|
Two proof-of-concept worms have been released for Apple's Mac OS X. The first worm, Leap-A, spreads over Apple's iChat instant message service, presenting itself to users as a link to a file of compressed images, according to TechWorld. If users click the link, the worm installs itself, disguised as a JPEG image, and forwards itself to users in the infected machine's buddy list. While this virus is spreading in the wild, it poses little threat.
The second, called OSX.Inqtana.A, exploits a Bluetooth vulnerability Apple patched in June 2005, according to Security Focus. It has not been found in the wild and is programmed to deactivate on February 24, 2006.
This has been expected for some time. Apple used to have an insular following. But then it joined the Unix family with Mac OS X, and then it switched over to Intel processors, familiar to many Windows hackers who never would have bothered with IBM's PowerPC chips.
The Apple security culture is still immature and not ready to handle worm threats. I would put them years behind the rest of the cybersecurity community. Apple has a habit of releasing security patches quietly and without much detail. Apple will make passing reference to "security fixes", but people used to dealing with security expect a lot of details. What is the nature of the flaw? What component does it affect? How did the vendor learn of it? When? How long since discovery did it take to produce the patch? How much damage could it do in the worst case scenario? In the likely case? In the security world, these are often questions you need to know now. Even if damage to my Mac is minimal, I need to figure if my Mac could serve as a gateway to other machines.
Apple will start answering these questions once their users demand it. But Apple users aren't used to security issues and have shown remarkable naïvité in their reaction. The tone at Leander Kahney's Cult of Mac blog at Wired is especially troubling. I've been writing security news off and on since 2002—full-time since summer 2003. Security writers reporting on a new malware will make clear whether it's spreading "in the wild" or whether it's a "proof-of-concept". However, "proof-of-concept" only means the malware carries no malicious payload and was developed for research purposes. The flaw it exploits still exists, and the proof-of-concept can be adapted into truely malicious code. It proves the concept. But Kahney seems to use "proof-of-concept" to dismiss the threat. 
Nonetheless, Leap-A appears to be the first OS X malware "in the wild." A previous OS X nasty -- a Trojan horse dubbed MP3Concept -- turned out to be a proof of concept only.
Rob Griffiths at Macworld also gets in on the game:
While Leap-A has the potential for mischief, it’s not anything like a crippling Windows virus that periodically brings the rest of the computing world to its knees. More important, as explained below, this incident doesn’t expose a security hole in the Mac operating system.
First, he is about a year behind the curve. Virus writers don't write crippling viruses anymore, for the same reason we don't fight nuclear wars: they destroy wealth. Countries go to war all the time, and it usually ends up costing more than it was worth, but they at least believe they can gain something. No one believes that with nukes. You launch one, and the target is completely oblitereated. Similarly, virus writers have realized that crashing the system is a lot less profitable than infiltrating it.
When Mac users start facing viruses, they're not going to get something like Slammer or Witty. They're going to get a keylogger, something that the user won't notice until their bank account is empty.
Also, just because there is not an underlying flaw doesn't mean that Mac users still don't face a problem. Slammer shut down banks and airlines not because it was so destructive, but becuase it replicated so well it clogged communications. Though it exploited a flaw in MSSQL to get this far, a virus on your Mac can cause problems for you and others even if it doesn't exploit a Mac flaw.
The Leap-A malware does not mean that OS X is any less safe from viruses than it was prior to its release. Socially-engineered malware has always been possible, and will always be possible. If you can get a user to run something, then clearly, you can choose to do whatever you wish while your code is executing. While there are some things Apple can do to make us all even safer (for instance, InputManagers should not be installable without explicit permission), I still believe OS X is a very secure operating system, and I have no concerns about using it on a daily basis. Neither should you.
I don't want to be alarmist. The sky is not falling for Mac users, and I don't forsee an Apple pandemic in the near future. But Apple is starting to face the same sort of real security issues the bigger players have had to face for years now, and Mac users have to start taking security seriously. Mac OS X is still a relatively safe operating system compared to Windows. But Windows users have experience dealing with firewalls, antivirus, and other features Mac users should also have.
Yes, Macs are harder to hack than Windows. But they can be hacked. And some day, some botmaster is going to realize that once he's cracked a Mac, its user will most likely have no idea how to fix the problem, or even that there is a problem to fix. That is the real danger of these viruses: not the harm they do or could do, but the weaknesses they show in Apple's human firewall. It seems so many are trying to convince themselves that Mac OS X is not flawed, they miss the point of security. Hackers are starting to seriously consider the Apple platform as an attack vector, and even if Mac OS X is still as strong as we thought, Mac users' inexperience with security could put the rest of us in danger. Mac users must realize this and start carrying their small share of the cybersecurity burden.
1. I shouldn't be too hard on Mr. Kahney. He did also write: 'However, as CME notes in its statement, the worm is a wake-up call for OS X users with a false sense of OS X's invulnerability: "Now that Leap.A has been discovered in the wild, copycat media-craving individuals will likely launch similar attacks in 2006."' Which fits in nicely with my last point.
|11:41 am - So that's why ...|
Stratfor has always credited Iran with having one of the most effective intelligence agencies in the region, and now I know why:
"Iran's intelligence apparatus remains one of the most sophisticated in the Middle East, due largely to the legacy of training provided by the CIA to SAVAK, the Shah's secret police."
Would you like to know more? (Wikipedia)
February 20th, 2006
|10:58 am - The Kidnapping Industry of Paris|
Stratfor has put out a Terrorism Brief examining the case of the kidnapping, torture, and eventual murder of a cell phone salesman in Paris. Parisian Police have detained thirteen suspects linked to the kidnapping, an apparent gang that kidnaps people for the ransom money.
The kidnapping business is usually one found in the developing world, in place like Columbia, Mexico, and Iraq. For one to operate in Paris is highly unusual. However, Paris has seen four of the kidnappings since December 2005. These kidnappings usually don't end in death, since killing the hostage usually ruins the chances of getting a ransom.
However, there is a wrinkle the Stratfor article does not discuss in depth so much. Many of the detained suspects were of North African descent, and the abductee was Jewish. While French authorities are downplaying the possibility of anti-Semitism, I wonder how much that may have figured into the kidnapping. Who are the other suspects? Is the gang really a Cour des Miracles International Brotherhood of the Down-Trodden just trying to make a few bucks? Tensions have been increasing in Europe between the majority and Muslim immigrants, especially over the cartoon controversy. I think we'll see greater tensions in the future. I would like to know more about the composition of this gang to understand its impact against this backdrop of tensions. Even if jihadism played no role in the kidnapping, the perception that it did could exacerbate those tensions.
February 18th, 2006
|07:43 pm - De(con)struction|
I've noticed I've been deconstructing my arguments with Jess.
This is good. Before, I used to relive my arguments with Jess. I'd go to the old apartment, mostly empty, to pick up a few things, then all of the sudden find I was in a different room and really mad. Now, I can look at the fights without becoming emotionally involved.
Life goes on.