inside the man

Thursday, December 22, 2005

SANS Hacker Techniques review

This is an overview post for the series of daily reviews of the SANS Hacker Techniques, Exploits, and Incident Handling course that I have been posting.

You can read the daily posts here:

Overall, I found the course was extremely valuable. A couple of tips:
  • Do not miss the final day.
  • Bring a powerful laptop that preferably dual boots between Windows and Linux; or else bone up on VMWare configuration.

  • Topics: Incident response procedures, reconnaissance, scanning, exploiting, keeping access, covering tracks
  • Overall value: 4 out of 5
  • Coolness: 5 out of 5

Wednesday, December 21, 2005

SANS Hacker Techniques - day 6

Other posts in this thread:
Capture the flag for hackers. This completely hands on day was so amazing that it made up for any other deficiencies in the course. If you must miss a day of the course, do not miss day 6.

Here is the setup. Star configuration LAN. Off of each of the eight ports of the central switch was a six port hub - the team hubs. Each team of two to five students plugged their laptops into their team hub and configured their NIC according to particular settings, one subnet per team. On one hub, however, where four IBM laptops , the targets, and each of them held a text file in their root directory whose name began with "flag" (i.e. flag1.txt). The four targets are also on their own subnet. Within each of these flag files there are hints to discover the secret fifth flag. While connected to the game LAN, players are allowed no other external connections (i.e. no hotel wireless). Although players are permitted to disconnect from the LAN, leave the war room, and download tools or Google exploits, then return.

I was on a team of three with two RCMP tech-crime officers. One of them was a veteran of these sorts of exercises and a wizard with the Metasploit Framework. I came ready with an array of password sniffing and cracking tools thinking that was a wise addition to my colleague's skillz. Our third team member was openly out of his element, being much more comfortable with forensics. While my decision to prepare for good old fashioned password attacks would prove to serve the team well, my decision to focus on Windows as an attack platform would not.

Before the game started, the instructor went over the ground rules (such as no attacking or DoSing the other teams), the simulated publicly available information on the targets (whois and Google search results), and other preliminaries. The instructor's speech was interrupted by one student's Zone Alarm ringing off that his computer was under attack (or at least heavy scan) by four IP addresses on our game LAN! In a moment four names were called and four students were lead out of the room for a stern talking to although they eventually were allowed to return. Meanwhile the game began.

I squandered the first hour or so of the test trying to get nmap to work under Windows. I never did find out exactly what was wrong. Was it wpcap? Was it a network driver issue? Who knows. While I struggled with this issue, my teammate drew first blood. His stated strategy was do not even bother with vulnerability scanning - just find a listening TCP port or two and start hitting them hard with Metasploit (his personal favorite). His paid off as he demonstrated to the instructor that he had flag 1 in hand. I then took my teammate's advice, turned my back on Windows, and inserted the knoppix-std boot CD. This advice was pure gold (and knoppix-std is a sweet set of tools).

Without my technical issues holding me back, I completed my nmap scan in seconds, and turned my attention password attacks against an attractive looking box running telnet and ftp with the help of my RCMP forensics-focused teammate. Our Metasploit jockey continued his exploit onslaught on his own. After a quick review of the whois information, we had some potential passwords to try. The second password that I tried had a blank password! Without further ado, I was in with telnet, straight to the root directory, and opening flag4.txt which happened to by world readable. While several other teams had found either flag 1, 2, or 3 at this stage, I was the first to hit flag four! I have to admit that this made me awfully good.

The host that I had gained user-level access to was a Linux box that was not employing shadow passwords. In moments, I had used the running ftp service to transfer the password file to my laptop in preparation for some cracking. I took a moment to seed John the Ripper's default password dictionary with a few potential tidbits garnered from the publicly available information, and John was on his way. Meanwhile, we confirmed that the user account that got me to flag 4 did not have a blank password on the next host with login services running - in this case ssh and telnet. However, in less than a minute, John had recovered the password for another user from the flag 4 host. Sure enough, this gets me into the next box, also running Linux, and directly to the root directory where flag 3 resides. Unfortunately, flag 3 is readable only by root, and, to make matters worse, this box does properly employ shadow passwords. However, as luck would have I stumbled across a world readable copy of the shadow file in the root directory. The instructor told me after that this was to simulate common shoddy administrative practices. Soon this file was also fed to John who shortly recovered another password...

Cutting to the finish, this is as far as our team got. A team from a Quebec university was the only team to find all four flags and the fifth bonus flag.

Overall, it spectacular to test drive a few of the tools that we had talked so much about. This final exercise tied the entire course together and demonstrated the clear value of the many hours of lecturing that we endured.

  • Day: Day 6
  • Topics: Capture the flag
  • Tools (at least the ones I used): nmap, John the Ripper, hydra, Metasploit Framework, nessus
  • Overall value: 5 out of 5
  • Coolness: 5 out of 5

Friday, December 16, 2005

SANS Hacker Techniques - days 4 and 5

Other posts in this thread:Days 4 and 5 of the course were in many ways more of the same as Day 3 - great material, and lots of it, with only brief simple hands on exercises from time to time (between two and four exercises daily). Of the more interesting exercises was cracking password hashes with John the Ripper. Another was seeing how many anti-virus programs were fooled by simply getting a hex editor and changing the port at which tini listens. The Covert_TCP file transfer was also fascinating - essentially it transfers data one byte at a time within TCP/IP headers. I'd like to see your IDS pick that up!

Unfortunately, I missed a significant portion of the afternoon of Day 4 due to a combination of illness and client demands. Again, over these two days, the balance of lecture to hand-on seemed to be off although the content of the lectures continued to be detailed, wide ranging, well researched, and more than a little frightening.

  • Day: Days 4 and 5
  • Topics: Password cracking, getting a shell, worms, web app attacks, DoS, backdoors, app level trojans, backdoor wrappers, rootkits, hinding files, covering tracks in logs, covert networking, more stego
  • Tools: brutus, hydra, Cain and Abel, Rainbow Crack, SYSKEY, John the Ripper*, PAM, shred, netcat*, phatbot, SQL Slammer, OWASP suite of tools, Achilles, Paros, Windows at command, CpuHog, Ping of Death, Rose, Smurf, synflood, Tribe Flood Network 2000, tini*, VNC, WinVNC, Sub7, Back Orifice 2000, Setiri, wrappers, burneye, Ollydbg, LRK, AFX, Solaris kernel-mode rootkit, KIS, Adore, FU, Rootkit Revealer, LADS*, WinZapper, reverse www shell, Loki, Covert_TCP*, cd00r, s-tools, stegdetect, xsteg (In the appendix but not discussed: red button, campas, aglimpse, crack, lc5, GetAdmin, SecHole, NetMeeting Buffer Overflow, Tooltalk Buffer Overflow, IMAPd Buffer Overflow, WinNuke, land, redir, SMBRelay, TBA Palm OS War Dialer, QAZ, T0rnkit, RDS, jolt2, DumpSec, Tin00, knark)
  • Overall value: 3 out of 5
  • Coolness: 4 out of 5

* Starred items were part of hands on exercises.

Thursday, December 15, 2005

SANS Hacker Techniques report - day 3

Other posts in this thread:Day 3 entered the dark realm of exploiting systems. While we dealt with a wide variety of fascinating material, the balance between lecture and exercise was off today. There was a lot of lecturing about topics that, let's face it, are difficult to lecture about like buffer over flows. First off, it is difficult material that cannot be explained quickly. It would be great to step through some actual running software walking an jumping down the stack, but this is not an assembly language class. Somebody should, and maybe already has, come up with a way to visualize the process of a buffer overflow in an animated form.

The two main exercises were very interesting involving remote command execution using netcat. However both exercises were about, well, netcat, one on Windows and one on Linux. This was a bit of a let down when there are so many other cool tools under discussion. I was itching to take the Metasploit framework for a ride, or to man-in-the-middle my neighbor's TLS session with the DSniff webmitm tool, but alas, it was not to be.

Here is a fun and safe format string attack to try out from the Windows command line:

C:\> sort %x%x%x
7c812ca900The system cannot find the file specified.

Now try adding a few more percent x's and watch the hex grow!

  • Day: Day 3
  • Topics: Expoiting systems, IP spoofing, sniffing, session hijacking, DNS cache poisoning, backdoors, buffer overflows, protocol and parser problems, hiding payloads, steganography
  • Tools: ethereal, snort, Sniffit, Dsniff, hunt, TTYWatcher, IP-Watcher, Ettercap, jizz, Zodiac, netcat*, Metasploit, inetd, tftp, ADMutate, Hydan, printf format strings*
  • Overall value: 3 out of 5
  • Coolness: 4 out of 5

* Starred items were part of hands on exercises.

Wednesday, December 14, 2005

SANS Hacker Techniques report - day 2

Other posts in this thread:On day two, discussion moved onto the lifecycle of a networked computer attack, and we got to use some tools! At a high level, the life cycle of an attack is:
  • Step 1: Reconnaissance
  • Step 2: Scanning
  • Step 3: Exploit Systems
  • Step 4: Keeping Access
  • Step 5: Covering the Tracks

After providing this overview, Day 2 focused on Reconnaissance and Scanning. Essentially, the course explored methods and techniques for "casing the joint" in order to identify potential targets, then probing those potential targets for promising attack vectors. There were a number of hands on exercises that you carried out on your own isolated laptop using Linux and Windows on your own laptop. You could either setup your laptop to dual boot, or use a provided VMWare Linux image with a 30 day demo of VMWare Workstation.

While the material did not cover a great deal of new ground for me, it is fundamental material that all infosec practitioners, and many other IT professionals, need to know. On the down side, it would have been more interesting to try out these recon and scanning tools on a private LAN instead of just on your own host. Overall, it was a good day. I wonder how many of my classmates returned their NetBIOS and Media Sense settings to their pre-enum exercise state? I know I did.

  • Day: Day 2
  • Topics: Trends, Ethics, Attack life cycle, Reconnaissance, Scanning
  • Tools: whois, DNS, Google, SiteDigger, Sensepost, Sam Spade, THC-Scan, NetStumbler*, Wellenreiter, Hospotter, ASLEAP, Cheops-ng, traceroute, nmap*, IP Personality, tcpdump*, P0F2, Firewalk, FragRouter, FragRoute, Nessus*, SATAN, Nikto, Whisker, the Windows net command*, enum*
  • Overall value: 4 out of 5
  • Coolness: 3 out of 5

* Starred items were part of hands on exercises.

SANS Hacker Techniques report - day 1

Other posts in this thread:There are roughly 40 hardened computer geeks in the class. Each has his or her (there are two women in the class) laptop and the corresponding web of power, USB , and other cables. The students are a varied lot from the US and Canada ranging from techies from start up infosec firms, to university security techs, to consultants such as myself.

I took a seat in the back row at a long table with four other occupants - two RCMP cyber-cops to my left and two Cisco pre-sales guys on my right. I should note that there are one or two disruptive influences in the class as well. These one or two, whom I will not identify, have an irritating tendency to monopolize class time. Not by asking too many questions as you might expect, but by offering up their half-informed opinion on every topic of discussion. I suppose they are trying to assert their self-perceived position of alpha geek.

Day one, Monday, focused entirely on incident response and was essentially the preparation session for the corresponding GIAC certification exam. The course material was a thorough overview of SANS recommended incident handling practices.

This was good solid material that everyone in the class needs, even if they were a little anxious to get their hand on some tools by the end of the day. Unfortunately, there was no effort to include any Canadian law in the discussions of computer crime law, rules of evidence, privacy legislation and so on. For the price of the course, SANS should be able to put together a few slides of Canadian material. (SANS - I am available to write course material on a contract basis.)

Here are a couple of entertaining anecdotes from the class:
  • "I don't think that it is morally right to ask users to remember 14-character passwords" - anonymous student
  • I asked the RCMP officer beside me if they use keystroke loggers. He responded in a serious tone, "I cannot answer that question." and regarded me with a dead-pan glare. Then he broke into a smile, "Just kidding. Of course we do!"

  • Day: Day 1
  • Topics: Incident handling
  • Tools: none
  • Overall value: 3 out of 5
  • Coolness: 1 out of 5

Update: I was mistaken. Individuals wishing to challenge the GIAC GCIH certification must master the entire six days of course material, not just the first day.

Structured blogging


"Structured Blogging is a way to get more information on the web in a way that's more usable. You can enter information in this form and it'll get published on your blog like a normal entry, but it will also be published in a machine-readable format so that other services can read and understand it. Think of structured blogging as RSS for your information. Now any kind of data - events, reviews, classified ads - can be represented in your blog."


King Kong review

CBC Radio One Toronto:

"Kong is the Belgian chocolate of eye-candy."

Tuesday, December 13, 2005

Near death experience on Air Canada (audio)

On flight 178 from Edmonton to Toronto, the man sitting in front of me has what appears to be a mild heart attack or stroke. I will never get to hear the final medical assessment of what happened to "Jerry" on the flight, but I was not alone in believing that he might actually die in the seat in front of me.

this is an audio post - click to play

(around 4 minutes)

Monday, December 12, 2005

SANS Hacker Techniques report

I just completed day one of the much lauded SANS 504 Hacker Techniques, Exploits and Incident Handling course at SANS Toronto 2005. I will be providing daily reports here but for tonight I must retire early as my Sunday evening flight was a little more harrowing than anticipated. I will elaborate further tomorrow, but here is a summary of my experience so far.

Air Canada flight 178 from Edmonton to Toronto on Sunday, December 11, 2005. Man in seat 12D nearly dies in flight. I was sitting in 13D. I can confirm that it is not only in movies that flight attendants pick up the intercom and say, "If there is a medical doctor on the plane, please identify yourself to the flight crew."

SANS 504.1: Incident Handling. It was a somewhat dry day spent pouring over standard incident handling procedures and example scenarios. It was disappointing that an expensive session such as this could not cover Canadian legal material.

Again, more on today and yesterday, and tomorrow, tomorrow. Did that make sense?


Saturday, December 10, 2005

40,000 free go game records

Following on the emotional and verbose controversy over the copyright of electronic Go game records that has been raging in and elsewhere for a while, Go software developer Frank de Groot of MoyoGo fame has started a free professional Go game collection that has now exceeded 40,000 games in SGF format. This is a spectacular idea. Go software vendors should focus on putting together great software to attract customers instead of relying on the scarcity of game records to make their living. Hopefully this will jump start a new wave of innovation in Go software.


Thursday, December 08, 2005

Google Desktop godsend or spyware?

I am not embarrassed to say it, I love Google Desktop. It has changed the way I work for the better in a way that has not been matched since WYSIWYG word processing became readily available. However, like many, I am very concerned by GT's threat to my privacy. Not only does GT index every web transaction that I make (other than those at URLs that I have explicitly excluded), every document I have, every email I send or receive, it caches it! This can be a blessing when I am trying to find something from long ago, but it is also a pretty complete log of my online life that I am not comfortable with others having access to.

Mathew Schwartz has published this interesting list of steps to managing Google Desktop securely from an enterprise risk management perspective:

  1. Use an enterprise DSE Google Desktop is like instant messenger software: if you don't explicitly block it, it's guaranteed to be on some users' PCs, therefore consider centrally managing it. Desktop Search for the Enterprise, Google's administrator-controlled version, has a Group Policy control. It also enables centralized distribution and adds the ability to search Lotus Notes e-mails. Microsoft's WDS also offers centralized administration tied to group policies.
  2. Encrypt the index file To secure the actual Google Desktop index -- in case an attacker manages to grab it -- set the Group Policy preference to "encrypt index." Note this only works on NTFS volumes.
  3. Change the index file's location Beyond encrypting the index file, administrators can also change its default location, which makes it more difficult for an attacker to grab it.
  4. Disallow Google Desktop on PCs with shared login names For PCs with multiple users, Google Desktop creates a different index for each user, mitigating many privacy and sensitive information-sharing concerns. However, in organizations where multiple employees share a computer and use the same username and password, prohibit the use of Google Desktop. If you don't, each user's Web sessions will be added to a centralized index.
  5. Disable HTTPS indexing By default, Google Desktop indexes all cached Web pages, even if they're secure (HTTPS). Deactivating the "secure Web pages (HTTPS)" preference will prevent the indexing of sensitive information. Most other DSEs do not offer such functionality.

Wednesday, December 07, 2005

How to hijack a podcast

There is an interesting story about a hijacked podcast at eWeek. It includes details of how a vegan podcaster's feed was hijacked and held for ransom. From the article:

"The manner in which the purported hijacking occurred exemplifies the fact that RSS feeds are far more vulnerable to squatters than Web site domains. The method doesn't require stolen passwords or other overtly illegal methods.

Rather, it merely involves finding a target Podcast and creating a unique URL for it on a Web site that the hijacker can control. The hijacker then points his URL to the RSS feed of the target Podcast.

Next, the hijacker does whatever it takes to ensure that, as new Podcast engines come to market, the page each engine creates for the target Podcast points to the hijacker's URL instead of to the Podcast creator's official URL.


Tuesday, December 06, 2005

New go aggregation site online

Go Aggregator goes live!

There really is a wealth of English language Go / Weiqi / Baduk news, games, discussions, and blogs on the net now, and far too many English speaking go enthusiasts limit their online time to a Go server like KGS or IGS and Sensei's Library. While these places are great - in fact, they are spectacular - there is a lot more Go online that many would enjoy. So, with a little help from Blogger, Feedburner, and Feeddigest, I have put together Go Aggregator to help Go players find and stay on top of the incredible online Go resources that change daily. Check it out.


Terrorism, police, and the NYC subway

There has been an interesting debate over the past couple of days between the authors of the Concurring Opinions blog regarding the wisdom of police conducting random searches on the NYC subway system. The debate centres on whether such searches:
  • Will catch terrorists before they complete their attacks,
  • Will frighten terrorists away from the subway system by the show of power, or
  • Will not impact terrorism but make New Yorkers feel better.
Interesting reading.

Here is an interesting factoid (is this actually true?) from the discussion,

"Measured by its post-9/11 budget and personnel, the NYPD outranks all but nineteen of the world's standing armies."


Friday, December 02, 2005

The ethics of selling nothing

Temple University law professor David Hoffman invites us to consider if selling an empty box, and describing it as just that, for $611 USD constitutes some form of fraud. From his post:

"This is the PREMIUM BUNDLE BOX only. It would include bonus accessories, if it were the actual PREMIUM XBOX 360! DOES NOT Come with 20GB Hard Drive, Console, HD Cables, Wireless Controller, Headset! In other words for those of you who do not understand, YES YOU ARE GETTING AN EMPTY BOX SO DO NOT ASK! Great for gags! DO NOT bid if you don't intend to buy! No excuses, I will not retract bids for you! You will be reported to eBay if you backout after winning the auction. I Cannot be more clear! This is not even a factory made xbox 360 box. I made it myself, just a few minutes ago. It does not contain an Xbox 360 console, just the Xbox 360 home-made box. this box is great hand made by me says XBOX right on it[.] It doesn't look anything like the picture I included in the auction. It looks much better, in my opinion."

Geist challenges politicians on privacy

In an update on the never ending Sony rootkit saga, Michael Geist challenges Canadian politicians to make privacy an election issue. Also, if you are a Canadian whose computer is infected with the Sony rootkit, Geist wants to hear from you. Could he be building a class action law suit (if that term is applicable in Canadian law?)?

"Given all the prior revelations, Canadian action is now long overdue. There is ample evidence to warrant investigations from both the Competition Bureau and the Privacy Commissioner of Canada. Moreover, with the election campaign now in full swing, the various parties should take a stand on what they intend to do about deceptive use of DRM and whether they support much-needed legal protections from DRM. This fiasco has laid bare the dangers of the recording industry' s support for DRM to consumers, artists, and retailers. With thousands of Canadians likely affected (if you are one, I'd like to hear from you), Canadian authorities can no longer sit on the sidelines."


Tuesday, November 29, 2005

A thought on pluralism

"Social justice is to pluralism what triage is to health. It is absolutely necessary but should not be mistaken for nurturing a healthy cultural life."

- David Goa, 2003


Monday, November 28, 2005

Terrorists and music downloaders

What does Bruce Schneier think about a proposal to use European anti-terror legislation to combat file sharing?

"Our society definitely needs a serious conversation about the fundamental freedoms we are sacrificing in a misguided attempt to keep us safe from terrorism. It feels both surreal and sickening to have to defend our fundamental freedoms against those who want to stop people from sharing music. How is it possible that we can contemplate so much damage to our society simply to protect the business model of a handful of companies?"
Copyright and go game records

It has occurred to me that this blog lacks a certain laser-like focus on any one topic of discussion. This probably has a limiting function on my ability to attract regualr readership. Just when I start thinking that I need to set up at least three seperate single topic blogs to serve my need to comment on a diversity of subjects, a story like the following comes along. For the first time ever, I have tagged a post with "go" and "copyright"!

Roy Laird has published this interesting article in the American Go Association e-Journal on recent controversy on the application of copyright to the digital records of go games. (Reproduced in full in accordance with the terms in the AGEJ.)

"How did Kitani play against the variation of the san-ren-sei opening you've been studying? Was there ever a game that used the exact same first ten moves as your last match? Who likes the "avalanche" more, Takemiya or Cho Chikun? Thanks to searchable databases, answers to questions like these are now just a mouseclick away with software like GoGoD, GoBase, BiGo, Smart Go, and MasterGo. The latest entry in the expanding go software industry, Frank de Groot's Moyo Go Studio, has reignited the controversy about whether game records can be copyrighted ("A World of Game Records," here), an intellectual property debate that now rages worldwide as Google proposes to put libraries online and cheap Chinese DVD knock-offs show up on American street corners.

After reportedly paying CyberKiwon $600 for the use of their games, DeGroot, a Norwegian software engineer, is now openly and systematically harvesting game records from the collections of his competitors for his own commercial use, without their permission and against their wishes. On his blog (here), he describes the process of siphoning data from other programs in detail: "As I write this, the games on the latest GoGoD CD are importing into Moyo Go Studio and it looks good - thousands of new games!" And later, "I have calculated that it will take me about three months to export all of (SmartGo's) 30,000 games."

The creators of those co llections are outraged at what they consider DeGroot's blatant theft of their work, having invested thousands of hours (and dollars) in the laborious game-by-game manual entry of game records into their collections. While there's a general consensus that no one has exclusive rights to a game record -- many well-known games appear in all the major collections - the question of whether a specific collection can be copyrighted is still being hotly debated. And beyond the legal issues, there's a more fundamental question of the ethics of taking work without permission or compensation.

De Groot's position on the legal issue is that "There is nothing in a set of SGFs (games recorded in the widely used Smart Go Format) that makes them copyrightable, when there are no added comments." However, according to US law, "A (copyrightable) 'compilation' is a work formed by the selection and assembly of pre-existing materials (e.g. uncopyrightab le facts) or of data that are selected, coordinated or arranged in such a way that the resulting work as a whole constitutes a work of authorship."

Phone numbers, for instance, cannot be copyrighted, but phone books can be, as long as the collector exercises a "minimal degree of creative judgment," beyond mere "industrious collecting." Other types of legal protection are also available; for instance, some programs contain a so-called "shrink-wrap" contract agreement in which the consumer agrees not to reproduce the compilation. (see here for a fuller discussion of the law involved) A directive enacted by the European Union in 1996 also explicitly prohibits "unauthorized extraction of all or a substantial part of the data from a database for commercial purposes" and "unauthorized re-utilization of all or part of th e contents of a database for commercial purposes."

Although the legal issues of the use of game records may be unresolved, there seems to be no disagreement on the ethical question. In a response to criticism of his behavior on, de Groot wrote, "I agree. Still, I am going to do it. It is wrong ethically, I fully agree. But not legally." (To view the entire thread go here.)

Interestingly, despite seeming to take an "information must be free" position, de Groot is encrypting the games he has taken, rather than making them freely available in SGF format, as have the creators of more established programs like GoGoD, GoBase, BiG o, Smart Go, and MasterGo.

Game collection developers who have invested significant resources over the years to build and maintain their collections are worried that de Groot's actions threaten the usability and existence of such collections. The obvious response to sticky digital fingers is for programs like GoGoD and SmartGo to remove the handy feature that allows the user to export game records as sgf files. And if someone can simply take such work product without permission or cost, the go software market - which is fairly limited to begin with -- is undermined and may well force out developers, an obvious loss for the go consumer.

Beyond the legal and ethical issues, the reality is that the go community is close-knit and thus far, the general response to de Groot's (who is not a go player) actions has been fairly negative. Major information sources like Sensei's Library and Gobas e contain no references to Moyo Go; go software link pages (e.g. here) don't mention it and distributors don't sell it. The AGA, committed to the free flow of information, does provide a link to MoyoGo on its Computer Go page -- here -- along with dozens of other go software programs, and will include the program in an upcoming series of reviews of such software. Any references to Moyo Go will note the controversy; as informed citizens of the world go community, we each must decide how to live in that world.
Michael Geist has publiushed a sobering Law Bytes column decrying the sorry state of privacy legislation in Canada. This discussion is in the wake of Canada's Privacy Commissioner's unpleasant surprise.

"Although major Canadian telecommunications providers such as Bell Canada sought to characterize themselves as 'victims' of fraudulent activity and claim that a rapid response to the incident is proof that the Canada' s privacy laws are working as intended, the reality is that Canadian law is simply ill-equipped to deal effectively with such incidents."

Saturday, November 26, 2005

A sorry position on the board

Here I am (in red) in the lightening round of the 2005 Sabaki Go Tournament pondering the painful death of the black group in the lower centre. I resigned after another 50 moves. Good job Terry.

Picture courtesy of Luke's Go School.


Tuesday, November 22, 2005

Updated list of top 20 security weaknesses

SANS released version 6.0 of their top 20 list of information security vulnerabilities today. In addition to the Windows, UNIX, and networking specific sections of the list, a section on cross-platform applications has been added this year. For those of you not familiar with this list, my advice to you is that if you take no other security management action at your place of work this year, at least make certain that your systems are not vulnerable to these few vulnerabilities. The list includes detailed descriptions of each vulnerability complete with recommended mitigating actions. Enjoy!
Firefox ponders Indentity 2.0

The Identity 2.0 blog reports that Identity 2.0 (infocard, sxip, ping, or something else) is under consideration for inclusion in Firefox 2.0. Interesting... could this be the first step towards secure, transparent, and ubiquitous (on the web at least) identity services?

Friday, November 18, 2005

Cultural amnesia in our schools and retail outlets

One day last year when I was feeling scrappy, I asked a representative from my children's prospective school a loaded question. "How do you handle the teaching of cultural diversity and religious beliefs in the classroom?" I asked. I knew the answer, of course, but I wanted to see how she would respond. [The answer is that the public school system has a policy of avoiding all mention of the religious beliefs of those around us, except when safely couched in the cold framework of positivist history.]

After an uncomfortable pause, the representative, herself a confirmed secular imperialist it turns out, answered something along the lines of, "In the classroom, we try to focus on things that are physically tangible. For example, if we study dinosaurs, we try to focus on the study of fossils rather than imagining what living dinosaurs may have been like." Think about this statement for a moment as it is rich with ideological juices. I can think of a number possible interpretations of this statement:
  • Utilitarian learning is more important than fostering creativity and learning about ideas.
  • Religion in particular and meaning in general is of less value than utilitarian learning.
  • Pondering ultimate reality and the divine, or by extension engaging in prayer, meditation, or contemplation, is an activity of similar value to daydreaming about the lives of dinosaurs.
  • Imagining how dinosaurs lived is an activity of low educational value.
  • And the list could go on...

I forget exactly how I responded, but I recall that I raised a few eyebrows and prompted a rapid change of topic. I did try to get across that the sort of thinking represented by this statement does a disservice to our children who need to be equipped to live and work in an increasingly pluralistic world and that the "dinosaur" statement at best represents fear on the part of the school board or at worst is a form of secular fundamentalism.

As an illustration of exactly what schools are afraid of if they were to actually engage in a serious conversation about culture and meaning, consider this recent story from el reg about a Wal Mart employee known only as Kirby who was let go after responding to a custom complaint regarding the change of a "Merry Christmas" greeting to "Happy Holidays".

"Christmas is actually a continuation of the Siberian shaman and Visigoth traditions,' Kirby replied. 'Santa is also borrowed from the [Caucasus], mistletoe from the Celts, yule log from the Goths, the time from the Visigoth and the tree from the worship of Baal. It is a wide wide world,' the helpful Kirby replied, making sure every I was dotted and every T crossed."

Thursday, November 17, 2005

American firms breach the privacy of Canadians

How would you feel if you found out that your private information, your cell phone call history for example, was available on the web? Here is Jonathon Gatehouse's description of Jennifer Stoddard's reaction when he showed her what he had bought online.

"Her eyes widen as she recognizes what has just been dropped on the conference table in her downtown Ottawa office -- detailed lists of the phone calls made from her Montreal home, Eastern Townships' chalet, and to and from her government-issued BlackBerry cellphone. Her mouth hangs open, and she appears near tears. 'Oh my God,' she says finally. 'I didn't realize this was possible. This is really alarming.'"

See Schneier's blog for some discussion of the matter.

Monday, November 14, 2005

Sabaki Go Tournament 2005 Report

The Sabaki Go Club based in Edmonton, Alberta held its annual go tournament this weekend. There were around 40 entrants ranging in strength from 6 dans to 18 kyus, ranging in age from 60 something to 8 years old, and with entrants from as far away as Manitoba. The top spot was taken by an outgoing fellow named Wei (sorry, I did not catch your last name), a 6 dan visiting from Calgary. He narrowly defeated one of Edmonton's strongest, Luke Chung 6 dan.

On a more personal note, I attended only the second day of the two day event entering the "Lightening Tournament". The tournament director, in a moment of madness, entered me in the upper division of this handicap tournament as a 3 kyu which is four ranks stronger than my rank in the club. Nonetheless, I won my first game, only to fall in the second round to the winner of the affair, Terry Fung 4 dan.

Before and after the formal tournament, there were many friendly games to be had and a great deal of boisterous game analysis - including extensive analysis of the top games in Cantonese which was lost on me. One interesting turn of events for me was losing to a friendly fellow when he gave me a five stone handicap only to later defeat him when he gave me two stones. What does t mean?

Sunday, November 13, 2005

Google Print is not for us, it is for Them

George Dyson provides us with the this intriguing quote from an anonymous Google employee:

"'We are not scanning all those books to be read by people,' explained one of my hosts after my talk. 'We are scanning them to be read by an AI.'"

Saturday, November 12, 2005

Sony DRM update

Schneier on the latest Sony DRM

"Here's the story, edited to add lots of news. There are lawsuits. Police are getting involved. There's a Trojan that uses Sony's rootkit to hide. And today Sony temporarily halted production of CDs protected with this technology..."

Thursday, November 10, 2005

Sony rootkit fallout

These stories were inevitable...

El reg El First Trojan using Sony DRM spotted:
"Roots you, Sir. Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs.…"

Slashdot California Suing Sony Over Rootkit DRM:
"carre4 writes 'California has filed a class-action lawsuit against Sony and a second one may be filed today in New York. The lawsuit was filed Nov. 1 in Superior Court for the County of Los Angeles by Vernon, CA. It asks the court to prevent Sony from selling additional CDs protected by the anti-piracy software, and seeks monetary damages for California consumers who purchased them. The suit alleges that Sony's software violates at least three California statutes, including the 'Consumer Legal Remedies Act,' which governs unfair and/or deceptive trade acts; and the 'Consumer Protection against Computer Spyware Act,' which prohibits -- among other things -- software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program. The suit also alleges that Sony's actions violate the California Unfair Competition law, which allows public prosecutors and private citizens to file lawsuits to protect businesses and consumers from unfair business practices. EFF has released a list of rootkit affected CD's and Slashdot user xtracto also has a list.'"

digg PestPatrol detects and removes Sony's DRM software:
"It seems like at least one major spyware/antivirus company has the nads to take on Sony. Will Sony sue to have their name removed from every blacklist?"

Monday, November 07, 2005

Monkeying with your OPAC

First off, I hate the term "OPAC", but I had to make sure that I got the attention of all of the librarians out there. For non-librarians, OPAC stands for "online public access catalogue", which is a ridiculously antiquated way of referring to a library's search interface. These days, this is usually a web-based search interface of an integrated library system or "ILS". Your local public library probably has one, your local university and college libraries probably have one, and your local school library probably does not (most school libraries do not make this a priority).

Anyway, much has been said lately of the short comings of most library search interfaces. My favorite critiques come from Mr. Lorcan Dempsey and of course Ross Singer's classic post Polishing the turd: the dangers of redesigning the OPAC. Now, virtually every library uses COTS for their ILS as there is really no other option (go!). Now there is a way to theoretically transcend the limitations of your ILS web interface without being limited by the API or web templating language, or without tampering under the hood in a way that might violate your licensing or support agreements. The Ajaxian blog brings to our attention monkeygrease!

Monkeygrease is for the server-side what greasemonkey is for the client side (at least with firefox). Basically, it uses the filtering function of current Java Servlet engines to rewrite HTML en route to the browser. This could be a significant tool in modernizing your web search without having to wait for your ILS vendor to do it. The possibilities really are endless - from including information from outside your ILS in search results to a fully Ajax enabled search, and everything in between.

Let me know if you plan to try this out.

Well, it's that time of year again. The snow has come to Edmonton, Alberta, Canada, seemingly to stay.

Thursday, November 03, 2005

Battle of 'legit' malware

I find this humorous. Slashdot reports that Sony's rootkit thwarts Blizzard's spyware:

"First, news of Warden -a bit of code from Blizzard's WoW to trounce game cheats. Then, a Sony rootkit to make your computer safe for music. Now, news that you can use the Sony rootkit to make your game cheats safe from the Warden."
I told you so: Oracle password protection flawed

Schneier has blogged a paper published on the SANS site that exposes the weakness of the Oracle password hashing algorithm. Reading this gives me a warm feeling of validation as I think back to a number of debates I have had with colleagues over the past few years. These debates typically went like this:

Colleague: "Chris, why does your design include building a password hashing algorithm when we could just use [insert commercial database name here]'s password encryption function?"

Chris: "Because I want to be able to demonstrate to our clients that we are protecting passwords with strong cryptographic hashes with a transparent easy to audit process."

Colleague: "But [insert database vendor name here] says this new password protection function is top notch." (Holds up whitepaper from vendor's website)

Chris: "Sigh."

Here is the abstract:

"In this paper the authors examine the mechanism used in Oracle databases for protecting users' passwords. We review the algorithm used for generating password hashes, and show that the current mechanism presents a number of weaknesses, making it straightforward for an attacker with limited resources to recover a user's plaintext password from the hashed value. We also describe how to implement a password recovery tool using off-the-shelf software. We conclude by discussing some possible attack vectors and recommendations to mitigate this risk."

Tuesday, November 01, 2005

The death of the grave

As part of Halloween fun, my family and I were quite proud of the grave that we created in our front yard, complete with a partially exhumed zombie seemingly clawing at trick-or-treaters on their way to our door.

It seems, as we move now to the Catholic feasts of All Saints (today) and All Souls (tomorrow), that there is some concern about graves not being taken seriously and what that means to our spiritual and psychological well-being. Deutche Welle has this interesting piece on the matter. Here is an excerpt.

"The church remains critical of such changes in burial culture. Joachim Wanke, Bishop of Erfurt, who is himself responsible for questions of congregational policies, put forth this reservation at the German Bishops' Conference.

'It used to be that dead were at the center of funeral ceremonies,' he said. 'Now it's also those of us who are left behind who need a ritual.'

Friday, October 28, 2005

A strong female voice for Islam

The International Conference on Islamic Feminism currently underway in Barcelona calls "gender jihad" to sexist readings of Islamic sacred texts. Here is an excerpt from Abdennur Prado's keynote call to arms:

"Opposing this internal criticism (deconstruction of the patriarchy based on the sources of Islam), we consider that Western culture's claim to superiority is not an effective adversary against fundamentalism, as this attack fails in his objective and tends to inflame even further these opposing stances. The more aggressive the pro-westernisation stance is and the more it relies on arguments based on a fear of Islam, the more strength is gained by the fundamentalist movements that present themselves as defenders of their religion in the face of these attacks 'from outside'.

Nor are attempts at 'social engineering' effective, such as that of Kemal Ataturk, put in practice in Turkey - banning the veil, closing the sufi associations, substituting the Arabic alphabet for the Latin alphabet, repressing all public expression of religious acts, etc. The failure of this policy could not be more spectacular. The social engineering and spread of anti-religious secularism carried out has not achieved its aim. In fact, Turkey has gone from being a region characterised by syncretism, the mixing of cultures and religious pluralism, to be a country in which traditional Islam is threatened by political Islam (Islamism).

Wednesday, October 26, 2005

Twins for Hitler? A fresh face for fascism?

While surfing some religious blogs this morning, the photo below caught my eye on a blog called doxology. Here is an excerpt from the underlying ABC story:

"They may remind you another famous pair of singers, the Olsen Twins, and the girls say they like that. But unlike the Olsens, who built a media empire on their fun-loving, squeaky-clean image, Lamb and Lynx are cultivating a much darker personna. They are white nationalists and use their talents to preach a message of hate."

Tuesday, October 25, 2005

Inside a penetration testing shop

Its one thing to build Nessus on your Linux box, click all tests on, enter a target IP, click go, and watch the test progress bar grow. After hundreds of thousands of Ethernet TX/RX LED flickers, Nessus will present you with a nicely formatted report of any and all vulnerabilities it discovers - including an inevitable rash of false positives. It is an entirely different thing to get a well trained and well equipped team of white hat hackers to try and bust into your critical web based systems. Do not get me wrong, Nessus is a spectacular information security tool, but just as people are better than computers at playing the game of go, people are better than automated tools at uncovering system vulnerabilities. This is especially true in the realm of web application vulnerabilities, an area where the available tools have not reached the level of sophistication that Nessus and its commercial counterparts have for general remote host audits.

Jeremiah Gossman has a column on BetaNews that gives an inside look into his web application security outfit, WhiteHat Security. Here is an excerpt.

"With the necessary paperwork signed and account credentials generated, we were ready to go. The URL and username/password were revealed to the racers and the symbolic green flag dropped. The next several seconds we heard nothing but mouse clicks and keyboard tapping.

From past experience we've learned that the fastest way to victory is to target the search boxes first and try for a speedy XSS win. Search boxes are notorious for such insecurities. It's a cheap trick, but it works. Next, it's best to look for input parameters and determine if any of them echo URL query data, indicating another potential spot for XSS.

The first 60 seconds of the race flew by. Nervousness set in because we knew that at any moment someone was going to claim speed-hack victory. Bill Pennington (WhiteHat's VP of Services), in what is becoming a trend, identified the first vulnerability (XSS) in about 1 minute 30 seconds. In classic style, we cried foul because he could arguably only exploit himself with XSS and represented no further risk.
Professional go player Fung Yun audio documentary

(RealAudio format)

"Even though it's been around for thousands of years, chances are you've never heard of the game, Go. Created in China, it's a board game that involves the placing of stones on a grid. One of the game's top players, Feng Yun, lives in New Jersey. But this week she's gone back to her homeland in China to participate in an international tournament. She sits down with independent producer Blake Eskin to talk about the game."
The joys of library blogs

My uncle, Ross Thrasher, who is also a librarian (although a blogless one), once said to me, "librarianship is the last bastion of the generalist". Perhaps this "intellectual diversity" (or "lack of focus"?) is why I enjoy reading library blogs - you never know what you are going to come across. One spectacular example is Peter Binkley's recent post about a delightful animated musical retelling of the great Hindu epic Ramayana entitled "Sita Sings the Blues". Check it out in QuickTime format here. Jaya Sita Rama!
Splog me

"Splogs are blogs set up for spamming purposes (Spam Blogs). By themselves they would probably go unnoticed since they have nothing to offer most readers, but through aggressive use of keywords they trick indexing services into sending out spam messages as links to the blogs."

Friday, October 21, 2005

Geek humor

"If I was going to make an evil programming language, I would not name it after a snake."
- Larry Wall

Thursday, October 20, 2005

German publishers warm to Google Print

In the wake of the news of a second American copyright suit over Google Print, Deutche Welle reports that German publishers kinda like the idea.

"An increased and more direct reach to the consumer is just one way Google is promoting its new project to skeptical publishers. The company also says that publishers will be able to monitor interest in titles through the search engine, and use the information in deciding whether to reprint certain books. Google has also promised publishers a cut of the advertising that will appear on the site."
Google Print lawsuit number two

A couple of weeks ago the Authors' Guild filed a copyright lawsuit against Google. Now the Association of American Publishers has joined in the fray with their own suit. Slashdot reports:

"The Association of American Publishers, an organization of book publishers including Pearson Plc's Penguin unit and McGraw-Hill sued Google over its plan to create a digital Web library of printed books. The Association of American Publishers sued Wednesday after talks broke down with Google over copyright issues raised by the Google Print Library Project. Publishers say Google will infringe copyrights unless it gets advance permission for the scanning. The suit is the second by the publishing industry against Google's library plans and underscores the worries sparked by Google's expansion beyond Web search."

Wednesday, October 19, 2005

IA pitches folksonomies to librarians

nform Information Architect Gene Smith faced an audience of professional librarians at the Access conference this week to let them know that folksonomies are a good idea. While this conference is being held in my home town of Edmonton, Alberta, I was, unfortunately unable to attend. Fortunately, Gene has made his slides available at his blog.

I can tell you, as a librarian, that the profession as a whole is not necessarily warm to the idea of folksonomies. Librarians have a long term professional stake in the notion of authoritative classification and description of documents using thesauri and other controlled vocabularies. The folksonomic or social tagging movement is the antithesis of this perspective focused on amateur classification unimpeded by formal vocabularies.

I do not know how Gene introduced Clay Sharky's opinions on this issue during his presentation - it would be interesting to know - but Sharky's name is mentioned a few times and his mug graces one slide. I wonder how the audience of librarians, most of whom would not be familiar with Sharky's views on the profession of cataloguing, would respond if Gene had read the following quote from the summary of one of Sharky's well known presentations?

"The LC scheme, when examined closely, is riddled with inconsistencies, bias, and gaps. Top level geographic categories, for example, include "The Balkan Peninsula" and "Asia." The primary medical categories don't include oncology, defaulting to the older and now discredited notion that cancers were more related to specific organs than to common processes. And the list of such oddities goes on... it enforces cookie-cutter categorization that doesn't reflect the polyphony of its contents--there is a literature of creativity, for example, made up of books about art, science, engineering, and so on, and yet those books are not categorized (which is to say shelved) together, because the LC scheme doesn't recognize creativity as an organizing principle. For a reader interested in creativity, the LC ontology destroys value rather than creating it."

[You can listen to Sharky's full presentation here.]

There is also a third approach mentioned in Gene's slides - machine indexing. For the sake of clarity, the three approaches to making documents (or items, data, or whatever) findable are:

  1. The traditional cataloguer's approach - authoritative classification with controlled vocabularies that may or may not fit into the categories of ontologies or thesauri
  2. The amateur post-facto approach - a community of users, which may be as small as one or as large as all Internet users, tags items with any word they want to use
  3. The Google approach - keyword index everything and use clever relevance sorting on search results

For the record, I support the view put forward in Gene's final slide, the ideal for most situations is a combination of approaches to describing items.

Tuesday, October 18, 2005

EFF outs government-industry collusion

The Electronic Frontier Foundation (EFF) has cracked the secret fingerprinting code that some color printer vendors use to watermark every printed page. The story has chilling reverberations for how technology "features" that are introduced to combat one problem, in this case counterfeiting, can be used to combat many others as well. EFF Senior Staff Attorney Lee Tien:

"'Even worse, it shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers. The logical next question is: what other deals have been or are being made to ensure that our technology rats on us?'"

UPDATE: This story has now been picked up by slashdot, the wp, and others.
UPDATE: October 19, 2005: Mr. Schneier covers as well.

Thursday, October 13, 2005

Why spend on IT?

Students in my IT Strategic Planning class at the University of Alberta will be familiar with the message of John Thorp in a recent Computerworld article cleverly entitled, "Buyers addicted to gambling on IT investments".

"Business needs to take greater responsibility for technology investments as $800 billion is wasted on ill-conceived IT projects each year, according to the head of Fujitsu's global consulting centre for strategic leadership, John Thorp. Pointing the finger at companies for having 'a serious addiction to gambling on IT investments', Thorp said a huge amount of money is spent on IT that is creating no value. 'The minute you put IT in front of something, it's an IT problem. IT strategy, IT governance, it's not about IT, it's about enterprise value,' he said."
Uncertain future for snort under Check Point

Security Wire Perspectives on Check Point's recent acquisition of Sourcefire, the owners of the open source IDS, snort:

"'Snort is now and will continue to be free to end-users,' Roesch wrote. 'We will continue to develop and distribute the Snort engine under the GPL, improve and document the program to stay on the cutting edge and expand the Web site.'

Still, industry observers are hardly optimistic. Martin McKeay, a CISSP and Snort user based in Santa Rosa, Calif., said he's hoping for the best, but expecting the worst.

Tuesday, October 11, 2005

IT security: dangerous professionals or dangerous legislation?

The Register ran a story today regarding the conviction of Daniel Cuthbert, a respected IT security expert, for attempting to bust into a tsunami relief donation site in order to determine if it was a phishing scam. Cuthbert was found guilty even though he did not gain access, and the judge accepted that his motives where not malicious. What is interesting about the Register's story is that it provides a little - and only a little - more detail about what exactly Cuthbert did to try and "test" the site in question.

"On December 31, 2004, Cuthbert, using an Apple laptop and Safari browser, became concerned that a website collecting credit card details for donations to the Tsunami appeal could be a phishing site. After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories. After running the two tests, at between 15.12 and 15.15 on New Year's Eve, Cuthbert took no further action. In fact his action set off an Intrusion Detection System at BT's offices in Edinburgh and the telco called the police. A witness for BT confirmed that the attack would have had no effect on its server, running Unix Solaris, even if it had not been detected by the IDS. The Crown also accepted that there was no malicious motive in Cuthbert's actions."

The story mentions "two tests" but only describes a pretty trivial directory traversal attempt. What was the other test, I wonder?

Saturday, October 08, 2005

Here's a good one

Thursday, October 06, 2005

Is there an open source security application crisis?

CheckPoint acquires Sourcefire, the makers of snort, and Nessus closes its source. What is going on!?!? Next fyodor will sell nmap!

Wednesday, September 28, 2005

A rare draw in International go

GoGameWorldand the AGA eJournal report on a rare professional go match that ended in a draw by mutual agreement. However, it turns out that it did not need to be a tie! Here is the AGA story.

"A very unusual result was achieved in a game between Lee Changho 9P and Chang Hao 9P in the Southern Great Wall Cup special match between China and Korea on September 11th. The game concluded with a quadruple ko that was mutually accepted as a tie. Lee and Chang split the combined first and second prize money, but pros later determined that Lee had really won the game. Playing Black, Lee could simply connect one ko and give two others to Chang. Then he would win by 3.5 points. The agreement on the tie was probably prompted by the fact that both players had only one minute of time left at that point and Lee couldn't be sure of his calculation."

You can view or download the game record here.
Live giant squid caught on film

The New York Times reports that a pair of Japanese researchers have made the first recorded observations of a giant squid in the wild. Having been fond of these elusive giants for years, my first comment is, I want to see the footage! I hope they post it online soon.

"Working some 600 miles south of Tokyo off the Bonin Islands, known in Japan as the Ogasawara Islands, they managed to photograph the creature with a robotic camera at a depth of 3,000 feet. During a struggle lasting more than four hours, the 26-foot-long animal took the proffered bait and eventually broke free, leaving behind an 18-foot length of tentacle.">First Giant Squid Captured in Wild (on Film, That Is) - New York Times: "Working some 600 miles south of Tokyo off the Bonin Islands, known in Japan as the Ogasawara Islands, they managed to photograph the creature with a robotic camera at a depth of 3,000 feet. During a struggle lasting more than four hours, the 26-foot-long animal took the proffered bait and eventually broke free, leaving behind an 18-foot length of tentacle."

Wednesday, September 21, 2005

Fair use put to the test

In what will be one of the most important copyright cases to hit US courts - if it goes to trial at all - The Author's Guild is calling the Google Print initiative on its apparently liberal interpretation of fair use. It is important to note when asking the question, "has Google gone to far?", that both Google Print and Google News, both of which search, aggregate, and excerpt from intellectual property not owned by Google, lack any Google adds and thus do not directly generate any revenue for Google. Maybe that does constitute fair use?

From el reg:

"Google operates two programs intended to incorporate print material into its search index, one of which, the Google Print for Libraries program, is targeted by the suit. Google has been scanning the collections at five libraries, bypassing the authors - who of course hold the copyright on their works - and including selections in search results. 'This is a plain and brazen violation of copyright law. It's not up to Google or anyone other than the authors, the rightful owners of these copyrights, to decide whether and how their works will be copied,' Authors Guild president Nick Taylor said in a statement."

: The EFF has a quick review of the legalities of the case and sides with Google. There is also a detailed review of the legalities of Google Print here.

Thursday, September 15, 2005

The best sports team name in the English speaking world

The New Zealand Herald reports the national badminton team is considering changing its unofficial name to something other than the "Black Cocks" - although I doubt that their fan base will ever let them.

"At the recent New Zealand Open, crowds were yelling out 'c'mon the Black Cocks'. "

The Register used this news story to create its entry for the "news headline with the most Neanderthal metaphor of the year," NZ finds Black Cocks hard to swallow.

Wednesday, September 14, 2005

SETI@home milestone

Today, after having two computers devoting all of their spare cycles for few months, I have reached 10,000 workunit credits. Now these credits are not redeemable for alien technology, they are merely a measure of the amount of SETI@home data analysis that my hardware has completed. This is not a particularly impressive volume. The top producers on the project contribute well over 1000 workunits daily, and the total number of workunits processed over the life of the SETI@home project is now over 2.5 billion. However, I ask myself, why am I doing this? Have I made the world a better place? I certainly have not found any space bugs yet, but neither has anyone else. Would I be better off donating my spare cycles to another grid computing project? (By the way, check out this great BIONC stats page.)

Monday, September 12, 2005

Ontario's Premier pledges to eliminate religious arbitration in the province

Following up on my previous post regarding Sharia tribunals in Ontario, a Globe and Mail article quotes Premier Dalton McGuinty as follows,

'Mr. McGuinty told The Canadian Press yesterday that "I've come to the conclusion that the debate has gone on long enough. There will be no sharia law in Ontario." "There will be no religious arbitration in Ontario," he said. "There will be one law for all Ontarians. Legislation will be introduced "as soon as possible," he said.'

This is another classic collision between cultural pluralism and liberal democracy - McGuinty's comments threaten to reverse the 1991 Arbitration Act which allowed for Roman Catholic and Jewish arbitration tribunals to be used voluntarily in family law disputes. Is there a solution that allows voluntary religious arbitration while still providing one law for all Ontarians?

Thursday, September 08, 2005

Sharia tribunals for Ontario

The announcement (here and here) that the Province of Ontario is considering a recommendation to introduce Sharia tribunals to resolve disputes such as divorce within Muslim families is alarming women's rights groups and dissident groups from hard-line Muslim countries. The Sharia tribunals, if instituted, would operate in a regulated environment along side the provinces existing Roman Catholic and Jewish tribunals. A Toronto Star editorial carries the following quote,

"The Muslim women who are leading today's protests have nothing to fear themselves because they would never agree to submit disputes to a religious tribunal. Still, they are demonstrating on behalf of other Muslim women who may not understand their rights under our laws. They argue such women may be coerced by their families and communities into agreeing to a process that may treat them unfairly."
Go player disses Sudoku

Outrage and furor abound at Rob van Zeijst's recent Daily Yumiuri Online "Magic of Go" column which denigrates the popular Sudoku game that now litters many English language daily newspapers.

"Su Doku, a game with a Japanese-sounding name but invented in New York, has become very popular. The idea of the game is to fill in nine 3x3 grids with numbers 1 through 9 so that each horizontal and vertical row, each individual 3x3 grid, contains the digits 1 to 9. Some numbers have already been provided, and the player must use logic and the process of elimination to solve the puzzle. It is interesting, but its major drawback is that there is always a solution. You may think this strange, but it is limiting in that it does not draw on the imagination."

Come on Rob, many go players love Sudoku!

Tuesday, September 06, 2005

The state of Go at UC Berkeley

The Daily Californian Online has a nice column on the growing popularity of go in Berkeley.

"The club, which today has members ranging from age nine to age 80, originated at UC Berkeley in 1960 through students who played Go in their free time. As the club attracted experienced players —and as an increasing amount of Go literature was published in English —the club moved off campus in the 70s, changing locations several times before settling at the BART station in 1999."

Monday, August 29, 2005

The death of the bar code?

Slashdot decries the end of the bar code:

"The University of Wisconsin RFID Lab, principally funded by a dozen Wal-mart suppliers including 3M, Kraft Foods, and S.C. Johnson & Son, believes that RFID could spell the end of the ubiquitous bar code. The big draw? Speeding up supply-chain management. Wal-mart's warehouse conveyor belts presently move products at 600 feet per minute... but they want to be faster. And better informed."

I bet that libraries will see bar codes for a little longer than Wal-mart. RFID technology is certainly mature and available for library use, but the price point remains too high for these institutions who have less capital investment funding than Wal-mart. In fact, the last that I read, the RFID price point is still to high for WalMart but getting closer every day.
Once again, coffee is good

Slashdot bring to our attention a health column in the Independent describing a study funded by the American Cocoa Research Institute.

"A study has found that coffee contributes more antioxidants - which have been linked with fighting heart disease and cancer - to the diet than cranberries, apples or tomatoes."

Thursday, August 25, 2005

There has been a lot of discussion recently about defeating CAPTCHAs (Completely Automated Public Turing Test to Tell Computers and Humans Appart). I won't reiterate all of the hacks and arguments here - for many links, see here. What I did want to bring attention to is a set of criteria for evaluating CAPTCHA systems posted yesterday to the web security list by Jeremiah Grossman (link to full message).

He calls it the CAPTCHA Effectiveness Test:

  1. The test must be able to be administered where the human and the server are remote to each other over the network.
  2. The test must be easy for humans to pass. Less than 0.01% of humans should fail the test on the first attempt.
  3. The test must be hard for computer to pass - Computers should have less than a 1 in 10,000,000 chance of guessing the correct answer. (Even after a pre-determined amount of analysis time)
  4. The test must be able to be completed by a human in less than a several seconds.
  5. Knowledge a test question, answer, or result (or combination thereof) must not impact the predictability of following tests.
  6. The test should not discriminate against the blind or the deaf. Or provide a solution to address the issue.
  7. The test should not possess a geographic, cultural, or language bias.

Tuesday, August 23, 2005

Swedish library loans humans to combat intolerance

"A Swedish library, realizing that books are not the only things being judged by their covers, will give visitors a different opportunity this weekend - to borrow a Muslim, a lesbian, or a Dane."

Scandinavian libraries have developed a creative program to combat prejudice. The latest incarnation lets patrons of the Malmo city library book a brief conversation with members of various religions, nationalities, professions, and even sexual orientations. Programs like this recognize that public libraries have a role to play in communities that goes beyond merely providing access to their internal and virtual collections. A natural extension of the public library ethos of intellectual freedom is the promotion of the realities of the new pluralism.

Thursday, August 18, 2005

Are CBC's IT staff on strike?

CBC is in the midst of a crippling job action. The Globe and Mail reports today that CBC has had to throw advertisers a bone to make up for plummeting viewership in recent weeks. Under normal circumstances, I enjoy CBC radio and television programming, but who wants to watch their reruns? I notice now that at least the news section of the CBC web site is down. Are the CBC IT staff on strike as well, or are they just dealing with the impact of the Zotob worm like everyone else?

Update (a few minutes later): The CBC web site is working fine now.

Monday, August 15, 2005

Jon Boley authored a thought provoking peace encompassing Hiroshima and go in the American Go Association's e-journal.

"REMEMBERING IWAMOTO AND HIROSHIMA: On August 6, 1945, Iwamoto Kaoru and Honinbo Hashimoto Utaro had just resumed their Honinbo championship game when they were interrupted by a blinding flash, a deafening explosion and a terrible wind that blew out the windows and knocked the stones off the board. The game was being played just outside Hiroshima; the police chief, fearing an American bombing raid, had moved the game out of the city. Later that day, survivors of the atomic bombing began to stream past the playing site, where play was continued and the game wa s completed: Iwamoto lost the game but won the match. Iwamoto's grandmother had said that a world full of go players would be a more peaceful place and in response to the events of that day 60 years ago, Iwamoto made a lifelong commitment to sharing his passion for go with the international community, a commitment that led to his founding of go centers around the world, including the Seattle Go Center, which is celebrating its 10th anniversary this year."

Thursday, August 11, 2005

Telus, Telus, Telus, sigh...

Need I add any comment at all?

"On July 25, 2005, Canadian Internet Service Provider (ISP) Telus blocked subscribers' access to a Web site set up by an employee labor union intended to publicize the union's views about its dispute with Telus. In addition, the OpenNet Initiative's (ONI) research shows that Telus's decision to block traffic to the Internet Protocol (IP) address of the site caused collateral filtering of at least 766 additional, unrelated Web sites. Telus restored access to the IP address hosting the sites on July 28, 2005, while appearing to maintain an option to block any sites it chooses."

Monday, August 08, 2005

I want to copy my CDs!

One does not normally see Michael Geist advocating the adoption of US copyright policy in Canada, but here is one small case where I could not agree more emphatically that the Americans have it right:

"However, given the opposition to the levy system, the better alternative might be to simply drop it completely. In its place, Canada could adopt a 'fair use' provision that would allow consumers to copy their own CD collection onto another device along with the elimination of statutory damages provisions for such copying cases. The fair use approach would match the U.S. model, where the recording industry has acknowledged that consumers have the right to copy their own CDs without reference to a private copying levy (and which CRIA seemed to acknowledge in its pledge yesterday)."

Saturday, July 30, 2005

The state of go in Vermont

The Birlington Free Press has a lengthy column on the popularity of go in the State of Virginia.

"'Vermont is really quite interesting in that we have about 15 regular members that come to the club,' said David Felcan, president of the Vermont Go Club. The club is the local chapter of the American Go Association, which, Felcan said, has about 2,100 members nationwide. 'In terms of per capita, Go in Vermont is huge,' he said."

Sunday, July 24, 2005

The Korea Times baduk lesson

The Korea Times is running an English language series of basic go lessons.

"In China, baduk is called 'weiqi,' which literally means the game of surrounding: to surround territory, and to surround the opponent's stones to capture them. To surround and capture your opponent's stones is a good way to gain territory, but it is just the means to an end. The ultimate object of baduk is to gain more territory through surrounding."
Hacker Gary McKinnon interviewed

Slashot points out this interesting BBC interview with "famous" hacker Gary McKinnon. He claims, among other things, to have found evidence of the truth about UFOs on US computer systems - and he was smoking weed while discovering this proof.

"The BBC World Service has a half hour audio interview with British hacker Gary McKinnon. As recently reported on/. and BBC News, Gary was arrested and freed on bail pending extradition proceedings to the U.S.. There, he faces charges of gaining unauthorised access and causing criminal damage to military computers in his search for evidence of UFO coverups and anti-gravity technology of extra-terrestrial origin."

Friday, July 22, 2005

What we should do

A valuable thought from Schneier:

"I often get comments along the lines of 'Stop criticizing stuff; tell us what we should do.' My answer is always the same. Counterterrorism is most effective when it doesn't make arbitrary assumptions about the terrorists' plans. Stop searching bags on the subways, and spend the money on 1) intelligence and investigation -- stopping the terrorists regardless of what their plans are, and 2) emergency response -- lessening the impact of a terrorist attack, regardless of what the plans are. Countermeasures that defend against particular targets, or assume particular tactics, or cause the terrorists to make insignificant modifications in their plans, or that surveil the entire population looking for the few terrorists, are largely not worth it."

Wednesday, July 20, 2005

Copyright polarization

The Register has a detailed piece analyzing all sides of the highly polarized copyright debate. Well worth reading.

"The debate is much more interesting than Yet Another Argument About Copyright because it reveals how people value human creativity, and that's something we're all entitled to have a say in. It also reveals what people really mean when they claim their position is 'good for society' - and again, it's our obligation when someone with this purpose pops up to shake them down vigorously, and see what rolls out of their trousers. In this case there is much merit on both sides of the exchange."

Blog Archive

About Me

My photo
Edmonton, Alberta, Canada
Returned to working as a Management Consultant, specializing in risk, security, and regulatory compliance, with Fujitsu Canada after running the IT shop in the largest library in the South Pacific.

CC Developing Nations
This work is licensed under a Creative Commons Developing Nations license.

Site Meter