dynamic pharming

I just learned what DNS pinning is and how it can be defeated when a domain is associated with multiple DNS A records.

The basic idea of DNS pinning is that when your browser loads something from x.com, it caches the DNS A record for x.com (the IP) and then keeps using that local copy instead of sending a DNS request each time.

This means that all requests to x.com for a browser session will be sent to the same IP address.  Unfortunately, there's an attack: if the IP that was "pinned" stops responding, the browser throws away the pinning and issues another DNS request.

If the two IPs are different, the browser will still see pages from both IPs as being in the same domain, and thus in the same origin -- scripts from one will have full access to content from the other.

This means that an attacker who controls the DNS records for x.com can put his IP first and the real x.com's IP second in the list of A records.  Then, at will, he can instruct his server to quit responding to requests.  This allows him to force clients to go from using his version of x.com to the real one.  The result: scripts served by his version of x.com can access content on the real x.com.  Browsers' Same Origin policies do nothing to fix this (in my opinion, they aren't supposed to).

What is this if not motivation to make DNS much more secure, since it is considered an authority!

Link to more info

public domain DRM

Most current DRM revolves around the idea that each person should be required to pay for their right to view/use some protected media.  The rights may be temporary or permanant, and may or may not be transferrable.  Ideally, a DRM system should be able to restrict who, what, when, and how.

Kelsey and Schneier propose "The Street Performer Protocol" that adds a twist onto DRM.  Instead of protecting content from the public, it pays the distributor if the content is released to the public domain.  

Essentially, people put donations in an escrow, and then when the content is released to public domain, the distributor (or artist) is paid.

I haven't read the paper yet, but this looks like a promising way to help free software developers pay for overhead costs.

newcomb's paradox

a clairvoyant being presents you with two boxes: one is open, and has $1000 in it.  The other one is closed, and you're told it contains either nothing or $1,000,000.  

The being asks you to choose to take either both boxes, or just the closed one.  He claims (due to his clairvoyance) that if he predicted you would choose the closed one, then he put the $1,000,000 in it.  If he predicted you would choose both, he left it empty.

The paradox is: which do you choose?  Both, or just the closed box?  Why?

(Link to essay by Franz Kiekeben)

progenetorivox

This is one of the funniest videos I've seen in a long time:
Drugs I need

Cheers to the folks at jibjab.com who keep coming out with hilarious animations!

this is our country

There's a new Chevy ad that I find interesting.  The song in the background keeps repeating "This is Our Country," meanwhile the camera pans for what seems like ever showing people erecting a long barbed wire fence.  

Take away message: to show you this is OUR country, we're going to put up a barbed wire fence to keep everyone else out... oh, and buy a Chevy to support the fence.

Fishing, not Phishing

Apparently someone used a rod, line and hook to pull bags of money out of one of our local bank's night deposit boxes! (Link) The thief left the fishing pole at the scene (probably accidentally) giving investigators a clue about what happened.

Immediately, I see a quick low-tech fix. If bags entering the drop box wouldn't simply drop 3 feet to the floor, but instead slid down a spiral slide for 5 feet, it would be INCREDIBLY hard for someone to get a hook on a bag. Optionally, one could include a second door, a trap door, that opens only when there's enough weight to push it open. A bank fisher would then need one heck of a sinker to get the hook down to the bags! Any other ideas?

(Link to story)

the macbook cometh

Here's the previous post in comic form. Comic Life is pretty darn cool.

new toy

On the 27th I ordered a new toy from Apple, well, okay, it's a computer so thus a tool for my research. I figured since I was buying a new laptop, I should go all out and get dongles for it too; it's important to be able to hook it to a monitor, projector or TV, so I bought an S-Video, a DVI, and a VGA dongle to plug into it. Funny thing, they arrived two days ago.

So needless to say, last night I was anxious for it to show up. FedEx was shipping it from China, and I had been following it on its travel through Alaska. When I went to bed, it was still en route from Alaska. FedEx woke me up at 8:30 by pounding the hell out of my door, and there it was! Incredibly fast. Go FedEx.

Anyhow, I'm as always infatuated with Apple's packages, so I slowly opened the sucker marveling at how they used a thick shipping box with only corner foam pieces to kind of minimize waste. (They have been getting lots of flack recently about being harmful to Ms. Earth.) Anyhow, inside the brown box was a really pretty marketing box that mostly shows off their presentation abilities.

Tearing through the tape, I pulled all the stuff out of the box noticing a new flavor of foam: it looked waffley. Stamped on the foam too was the MacBook logo. I still think it's odd that Apple goes through the trouble to make things so pretty when people will only see them once. Maybe it's for geeks like me who enjoy opening boxes way too much.

Box drooling aside (not quite as cool as the original cube iPod boxes), I pulled out my new workhorse and opened it up. I really like this new magnetic latch. One of my peeves about the 12" PowerBook is the flimsy latch.

Of course the best thing about the way Apple ships their laptops is the full battery. I've never seen instructions packaged with any battery-powered Apple product that says "plug in for charging before first use" or even "go buy a battery." They take good care of their customers -- cell phone manufacturers could take a hint from them.

Anyway, all things in order, I've set up the new MacBook just the way I want it, and am constantly being impressed by little things. For example:

• During initial setup, you pick an image to represent your account. The software turned on the built-in iSight camera and let me take a photo of me (bed head and all)!


• Emacs compiled in 10 minutes (took over an hour on my old PowerBook).


• Target Disk mode rocks! I used my old laptop as an external FireWire hard disk to transfer all my documents and settings. Couldn't have been easier.


• Third-Party software, including games, were pre-installed. This included a Mancala game. I didn't know Mancala was even popular.

There's lots of software that looks fun, including ComicLife... maybe I'll post a comic strip later.

spammers concerned with fraud

It appears that some spammers are concerned with phishing and pharming attacks that will make it harder for people to find the real source of Viagra. To fight this, some spammers are telling people to actually type the url into the browser, and not follow links in the email.

Honestly! You're at the bottom of the authority chain, you're a spammer. Just use a link.

(Link to a screengrab of the email)

google appliance xss

Multiple sources have been reporting a Google Appliance XSS attack. In short, the attack allows someone to tweak the variables sent to a search page in a way that lets arbitrary scripts from any domain to be executed on the results page.

Say I do a search at IU's search page, and when the results are shown to me I am directed to this url:

http://search.iu.edu/search?q=thing&output=xml_no_dtd&oe=UTF-8&...

I can change the q and oe variables such that the q variable has <script src="evil.com/script.js"></script> encoded in UTF-7, and then set oe to UTF-7 so the q variable is decoded. Then when the results are shown, evil.com/script.js is loaded on the page.

This has been shown to manipulate the results page (see this example), but since the URL must be modified, and a search query must have already been submitted, I don't see an immediate use for this.

I guess one thing that could be done is as follows: an attacker could create a custom search portal that ignores the search terms provided by a user, then executes some javascript to screw with their computer. Of course, they must be initially directed to the evil search portal... is there another use for this "vulnerability" that escapes me?

powered by the Microsoft

I got an interesting spam today that said I won the Microsoft Lottery (the UK Microsoft Lottery). It was your usual email, except I'm sure it's performance was much better; there was a tag at the bottom that said:

this is powered by the Microsoft®

apwg: day 2, law and enforcement

Today was mostly geared towards law enforcement and legal arguments about how and why phishing (and other electronic fraud) are difficult to catch.


Stanley W. Crowder (Special Agent, US Secret Service)
Mr. Crowder talked about how the USSS investigates phishing to help find people, stop them, and generally protect consumers.   He mentioned that there are lots of carding websites used for fraud.  Also, there is a tremendous underground culture (or market) centered around stealing and using identity for financial gain.  Take-Home message: Law enforcement needs help breaking through the technological barriers to catch bad guys.

Michael Levin (Dep. Dir. National Cyber Security Division, DHS)
Agent Levin gave a little insight about how his division at the DHS operates.  It appeared to me that his emphasis was on DHS's main aim is to get different communities talking to each other (intelligence, academia, law enforcement).  He believes all police should be equally well trained on cybercrime so they can help collect and identify digital evidence when they visit a crime scene.  He also believes in establishing good relations between US feds and other countries' federal cops by "drinkin' beer or drinkin' vodka or wrestlin' with 'em" -- whatever it takes.

DHS interacts with the public via CyberCop.  You can register for the CyberCop portal and obtain a weekly newsletter called "unusual suspects" sharing some sort of interesting information (don't know what).

odd spam

Today I got spam consisting of a lot of random numbers chosen and formatted to spell out a domain name. Click the above picture to see the whole email. Kind of weird. Anyone else seen anything like this?

Update (17-Nov 12:17): It appears to be a very cryptic pump and dump scam. See the stock ticker on yahoo.

apwg: Sven Karge

Sven Karge talked about legal implications of phishing in Germany.  There were lots of subjective details, but in short, be really really careful if you fly through Germany after doing anti-phishing studies where you simulate sending phishy emails.  There are lots of issues with copyright infringement, though the laws he presented seemed pretty fair -- criminal intent is important to prosecute.  He also suggested ways to improve tracking and shut-down of international phishing operations:

"To prosecute, we need good international cooperation."

This includes well-established and court-approved evidence sharing procedures so we can prosecute phishers in international courts.

apwg: John Brozycki

Representing an "anonymous" financial institution, John Brozycki  talked about how Phish Feeding works.  You automate attacking phishing sites by feeding in bad data.  The bad data then comes through to your site when the phisher attempts to use it.  You can watch the phish food turn into phish poo (not an official term) and track their behaviors.  Additionally, you can flood a phisher's site with so much bad data that they get pissed off and stop bothering you.

Phishers respond to this by implementing captchas (Turing Tests).  Unfortuantely, most use bad captchas, so scripts still work to infuse bad data.  Another thing he brought up was that phishers can block traffic from certain areas (i.e. the institution they are spoofing).  You can get around that by purchasing DSL connections.

More information at TrueInsecurity.com, email phishfeeder at that domain for info about phish feeding.

apwg: Brad Keller

An opening talk was presented by Brad Keller, the eCommerce Business Risk Manager of Wachovia.  He made some good points about internet fraud.

He claims we need to use multiple approaches
and multiple tools to make phishing and other electronic fraud unprofitable.  This point was followed up with the claim we need to shift the focus from "identifying a provider's site to clients" to "identifying the clients to a provider".  It may be a better solution to make sure clients are valid instead of trying to prevent theft of their identity.

Mr. Keller also emphasized that much of the fraud his institution sees is not direct fraud: not just phishing, then using the data.  Keyloggers and other crimeware capture various credentials, which are then circulated on the black market.

A wealth of information can be extracted from a client's transaction and browsing habits, as well as from their IP and computer information.  This can be used to help profile people and identify anomolies (such as transactions that are minutes apart, but on different continents).

All in all, he has been frequently surprised by what phishers seem to do --- it's possible that phishers don't clear cookies, suggesting it may be time to start profiling phishers themselves, instead of just relying on profiling of their sites and emails.

Things to research: Smishing, Phish Phood (not ice cream), Client Metrics, Access Anomaly Detection

APWG eCrime Summit

I'm in Orlando at the APWG eCrime Summit and enjoying the opening session.

I'll be posting a bit of information about some of the talks throughout today and tomorrow.

pirate spam

I got an email today with a subject "Nicholas has uploaded new software for you". The link provided is one to a "deep discounts" software site where you can buy $9000 software for $150. What interested me was the extra content in the mail to get past spam filters.

perform the following steps:
To fix this problem, you can have the text filter send a FORM
#
2. Members of the FreeBSD group who are active testers, willing to
aptly named kernel. You should always use kernel for
probable location of the failing piece of code (e.g., the pcvt driver
language-based printers) which cannot directly print plain text.
below the soft limit, the grace period will be reset.
to be transmitted and expected.
old trusty config file after upgrading from a pre-FreeBSD2.0.5.R
a page, specify them with the ff capability in /etc/printcap.
login
Bring a printer up; the opposite of the down command.
text filter for a printer, it sets the filter's standard input to the
does not start somewhere on the middle of the last page of the
Floppy drive controller: fd0 is the ``A:'' floppy drive, and fd1
printf "\033&k2G" || exit 2
regular kill instead

And it goes on. Some of my favorite quotes from the message are:

"give them the 'machine ID' and they will respond with a corresponding rose: Permission denied"

"touch your tree."

"Print jobs who wish to make topical suggestions on changes and the general (horizontal, vertical). So, first think, then format. The format controller! In general, every reconfiguration of a SCSI bus must pay"

ids daily header

Today is a double-hit day for me in the Indiana Daily Student.

'Bug' in new UITS Webmail filter causes some to miss e-mails

Student's Web site receives national attention


Yesterday was a double-hit day for Chris. Two articles right next to each other on the front page.

FBI raids Ph.D. student's apartment, investigates Web site

Project might be linked to graduate research at IU

The two hits for Chris are just in the sea of articles that have been printed since the Associated Press picked up on it.

was it wrong?

Was it wrong for Chris to post his boarding pass generator? One person says (in his blog comments):

I would like to repeat that TSA spokespersons have confirmed that this is not a dangerous security hole. For example, see this story, where "TSA spokesperson Carrie Hanson" is quoted as saying "'Is this a threat to security? The answer is no.'"

At worst, Chris made it marginally easier to exploit a known low-priority security hole that was already ridiculously easy to exploit.

And for this he gets his door broken and house ransacked by the FBI? You can see why I would be shocked and dismayed by this. If this gets as far as a grand jury I will be horrified.

I don't think he was unjustified. I think it is time people realize that there is no reason you need a boarding pass to get to the gates. Frankly, I don't care who is in the airplane seat next to me, so long as airport security did their screening properly and my seat-neighbor isn't going to cause serious trouble.

It disturbs me that the powers that be reacted so swiftly and strongly to something that is not new, misunderstood, or even that critical to security!

Previously: Generating Boarding Passes

generating boarding passes

Poor Chris. He described how to make a fake boarding pass by twiddling the online-generated passes that are issued by NWA. There's nothing wrong with this -- he didn't actually use them, he just wrote a very simple piece of software that lets anyone generate a fake boarding pass.

Rep. Edward Markey (D- Massachusetts) called for Chris's arrest. Why? Did he do something wrong? This ability to create boarding passes out of thin air is not new! It has been known for years and was in fact pointed out by Sen. Schumer (D-NY) in Feb. 2005.

What the hell? Has it come to this: if someone looks suspicious, we arrest them and work out the details later? The FBI served him with a cease and desist.

They handed me with a written order to remove the boarding pass generator. By the time we were somewhere with internet access, the website had already been taken down.
Link

Reality check: what Chris did was a trivial hack. Anyone who can write simple web application code can create this. Heck, you could make your own boarding pass easily without understanding code at all -- use a web page editor.

If Chris's liberties are violated in this fashion without repercussions, everyone who can edit online boarding passes should also be controlled. Everyone with a computer should get ready to line up to be monitored by the FBI.

sidstamm.com

Am I narcissistic or what? You can now visit my web site by going to www.sidstamm.com ... and the blog, well just add /blog to the end of it.

me on tv?

I was interviewed today and supposedly will be on TV Friday morning (the 27th) at around 6am. I don't know how long the spot will be, probably short, but if you're awake, tune in! It will air on WTIU, which is channel 5 if you have cable in Bloomington, 30 on the air, and if you're in some other Indiana town... who knows. Look for WTIU.

10/27 19:13 -- UPDATE: The journalist mis-spoke, apparently. The segment aired at 6pm.

killing in the name of...

For some reason this struck me as strange today.

When did "killing" become a "euphemism" for being in trouble? As in, "my dad is gonna kill me if he finds out." Today I heard a teenage girl scream "I'm going to KILL YOU!" as she ran after a boy who probably told Johnny she liked him.

Obviously, some people think violent video games have something to do with it. Others probably think that violent TV and movies are the culprit. What if there was more sex and less violence? Frankly I would prefer that -- and perhaps "I'm gonna kill you!" will change to "I'm gonna screw you!" or "I'm gonna get naked!"

Maybe we should start teaching our children alternatives to murderous intent. Here are a few I like:

"I'm gonna spit on you!"
"You're going DOWN!"
"I'm gonna pee on you!"
"Dad's gonna steal my car keys when..."
"I'm going to forcefully restrain you until you take that back!"

Thoughts?

ndss

Active Cookies will be published in NDSS 2007

bugged

I found one of these in my bathroom today. Not dangerous, but really weird looking. Looks like a cross between a hair brush and a house spider.

espresso award

And the Worst Espresso in Town award goes to....

the Bloomington Bagel Company

While they have scrumptious bagels, their espresso lacks, well, a lot of things. Complete absence of crema, medium light roast beans are used, and it is overheated scalding the flavor of the coffee. It actually reminds me of the french press coffee I make -- only I know this came out of their massive (expensive?) espresso machine.

Go there for bagels... bring your own coffee.

I love spam

Abuse may arise bad apples left rots entire Jamie Kalven following excerpt Kicking Pigeon part series.
To Labor Activists Michelle Goldberg Rashid is Khalidi Role Religious Right Affair Hans Johnson telltale habit extremism?
Admitted in United States detains suspected secret is Ciarun in prisons or foreign a why Pakistan Nuclear.

cafe del mar

cafe del mar Ibiza
Originally uploaded by Ben30.

Hm, so this is the cafe where all the great music comes from....

25

Everybody sing: "Crappy birthday to you..."

Actually it hasn't been that bad. My motivation level is around 10%, though, so I didn't make it to Jiffy Lube in time for the $5 early-bird discount. I did pick up some stuff at the store that I needed, and ran over a nail in the Target parking lot. Thankfully there was an auto shop just around the corner so I could quickly get it fixed without driving on a donut for a week.

My car goes in tomorrow to get some new stoppers -- kind of a birthday present to the car, and a well needed repair. A car is kind of scary to drive if you can't stop well.

On another (more mischievous) note, I learned that Qdoba has a "customer card" kind of like the thing you have to use to get normal prices at the grocery store. Only difference is that you can track your purchases on their website (although I notice you can find this feature at Kroger.com too). I wonder if Qdoba sends you "addiction" reminders. Say you buy 2 burritos each week, then take a month off. Maybe they send you a note, "Hey, you must be going through burrito withdrawl... come in today and we'll give you 10% off!"

I wonder how secure their online databases are...

mark z's new work

AAAH! The author of House of Leaves released his next unique artwork in book form. I stumbled upon it in the bookstore today, and couldn't help myself. This guy is my hero (literature-wise) and I've been waiting for this book!

Check out his awesome PR website.

msw

I just finished giving a talk at the second Midwest Security Workshop, and enjoyed my largest audience yet for the Invasive Sniffing talk (roughly 150). I also thought it was cool that the screen on which my slides showed up was probably 30 feet tall!


(No that's not me, just a shot of the screen.)

I'm very sleepy. I got four hours of sleep last night, and enjoyed waking up at 5:15am to leave for this workshop. I need to find some coffee...

heck of a day

Though the latest trend has been bad days for me, today was completely different.

It started off with a good parking spot, and a good meeting with my advisor. He gave me some compliments and as always, made me feel good about myself.

Next, I got another good parking spot, and had another good meeting.

Later I got home, craving some chili, so I started working on that, all the while waiting for the cable guy to come "fix" my connectivity problems.

Minutes after I got back, FedEx showed up with an early birthday present... an espresso maker. Woohoo! Thanks, Mom, I need this!

The chili is cooking, and cable guy shows up. He's really nice and changes some fittings, making the resistance between my modem and the network node much less and hopefully fixing the problem. He buys my old clunky 17" monitor (which has been with me since junior year of high school).

Feeling productive and optimistic, I call the department of ed to ask what I have to do to "fix" my loan situation (due to a mistake by the registrar, my interest capitalized and I lost my grace period while I was in Oz). They explain why the interest hasn't been removed from the principle -- boiling down to the registrar not reporting me as full time during the last summer. Annoying. I don't know what the deal is, but they say to file another deferrment request, hopefully they'll provide the right data. I gear up to raise hell at the registrar's office on Monday.

An hour later, the nice woman from DoE calls back and says they fixed it. No need to argue with the registrar! Yay!

Now I'm waiting for R to show up (she's visiting this weekend), and anticipating the much craved Chili/Cornbread dinner that's mostly ready. Mmm.

19 inches of heaven

Happy birthday to me.



Okay, it's not my birthday, but I'm a proud owner of more screen real-estate -- and it's affordable on my peanuts stipend (yes, you can buy it with peanuts). Quite an upgrade from my old 17" Dell monitor from 1998.

arrrr

Yarrrrrrrrrrr!

(Link)

Stop-Phishing @ IU: Google Public Search service

Potential for phishing using Google's Public Search service.

Note: I had been holding back on this entry, but since this flaw has gone public elsewhere, I suppose it's okay to post again.

Stop-Phishing @ IU: Google Public Search service

social sniper

I am a social sniper. The window facing 4th street is a advantage of sitting in the cafe where I am. So far, two people I know have walked by, and I just run outside and surprise them. You could be next. Where am I camping? Beware walking through neighborhoods with cafes with street-facing windows.

Croc hunter dies

It's a sad day, Steve "Crocodile Hunter" Irwin was slain by a stingray. He was 44.

(Link)

ramen copyright

On 30-August, Jennifer Granick wrote an analogy in Wired News that ties together Ramen sales and the RIAA's crack-down on guitar tabs. An excerpt:

They'd form an association -- say, the Ramen Industrial Alliance of Asia, or RIAA -- and announce a clampdown on the proliferation of infringing noodle shops. Their arguments would echo the music industry's. "The chefs who created ramen deserve to get paid for their creation," they'd say. "These noodle shops are taking profits away from the creators, while peddling an often-inferior product to an unsuspecting public that believes they are getting real ramen."

Although I disagree with her arguments that "ramen-copyright" and "guitar tab-copyright" are the same, I concur that guitar tabs are in no way a threat to the original composers. Once upon a time it was a complement to have your original work arranged for a new type of musical group.

(Link)

purdue seminar

I gave a seminar talk at the CERIAS lab of Purdue University yesterday. They had arranged for me to spend most of the day meeting with miscellaneous faculty -- it was great. Sometime in the next few weeks, they'll be posting a streaming video of my talk here (I think).

The talk discussed invasive browser sniffing and countermeasures that was presented at the WWW 2006 conference in Edinburgh, Scotland. (Abstract, Slides)

pspam

Sick of physical spam (pspam -- the crap that comes in the post to your home mailbox)? The USPS suggests you write to these folks, and ask to be added to the "no advertisements" list:

MAIL PREFERENCE SERVICE
DIRECT MARKETING ASSOCIATION
POST OFFICE BOX 643
CARMEL NY 10512-0643

Link

is my research pointless?

This is kind of a ranting... it may not make much sense.  Input (comments) will be appreciated.

During lunch today, I flipped on the TV and watched a PBS special on a nun who makes cheese.  Actually, it was called "The Cheese Nun".  In it, Sister Noella Marcellino talked about how they make cheese and essentially commune with the world (the beasts, the earth, the cheese-making fungi).  It was kind of neat, everything she did was backed by enormous motivation and inspiration -- though none of it was heavily religous.  In her cheese-making escapades, she was asked to go back to school and study more to make the cheese better or at least understand why they use the very antiquated cheesing methods they do (no pasturization, specific locations for aging, etc).

She went back to school to get her PhD in microbiology (ended up on a Fullbright scholarship to France) -- studying specific fungi in the cheesemaking process, and she figured out, down to the strain of fungus, exactly why each cheese tastes different.  It turns out that in the aging caves, a whole different ecosystem of microorganisms live, and a new strain of the cheese-making fungus develops and thrives.  Destroy one of these caves, and the flavor of cheese made in it will go extinct.

She illustrated the importance of keeping around these antique cheese caves, and supporting the independent middle-of-nowhere cheesemakers. Through her research, she helped a whole lot of people realize what is *really* going on in a rather mysterious process of cheesemaking.  She is the pious Indiana Jones of the cheese world.

I think it should be the goal of every advanced student to strive for something like this -- not only to pioneer something new in their field, but also try to make a real contribution to add perceived value to society.  Help steer our world straight -- a researcher with any other purpose is just a cog in the big machine.

Computer Security, as a field, is an arms' race.  You have the defenders and the attackers.  We make them wear different hats (black hat, white hat).  You also have some "gray hats" that simply find new angles of security and anti-security, then talk about them, as opposed to taking advantage of them or fixing them.  We often call the black-hats "Hackers", and the white-hats "Researchers". 

As a side-effect, the struggle (you could call it the "war on cyberterrorists" if you really want) brings about a whole new little society.  The cryptographers, virologists, coding gurus, stack smashers, documentation trolls, social engineers and script kiddies speak a language of their own, and more or less just fight amongst themselves.  Bring in malevolents -- spammers and phishers -- and you break out of the security bubble and start harming the everyday Joe and Jane who barely know what an anti-virus program does.  Jane and Joe are at everyone's mercy, and are mostly oblivious of the war going on.

So what does this have to do with cheese?  Sometimes I have to step back and think to myself, "self, what is your goal here?"  A lot of security research seems to be to be intellectual masturbation; you find a flaw, you find a solution, then you pat yourself on the back and publish it.  If you read through journals of computer security, this is all you will see: layers and layers of vulnerabilities and their solutions.  There are whole companies whose business plan is based around cataloging all of these pairs. They don't really seem to make a difference to anybody outside of this focused war.

Cheesemaking has changed radically over the years, mostly due to health scares ("you're eating WHAT kind of mold?")  and process regulation ("you must boil the milk first, to spoil the flavor and bacteria").  Due to these changes, many of the great cheesemakers have gone out of business, and what used to be a great cheese is now extinct.  It is a noble effort to preserve other cheeses from extinction.  I want to find a noble effort in computer security. 

But it doesn't seem to me that saving peoples' identity from theft is as noble as some claim.  Educated Internet users can figure out how to prevent this theft.  The everyday Joe does not, and probably never will.  Most identity thefts occur in a way that leaves the victim completely clueless until money disappears or an agency questions them about actions they did not commit.  Wouldn't the best solution to the Bank-ID-Theft problem simply be to stop allowing online banking? Why don't we just stop using computers for commercial purposes? 

Things seemed to work fine before they were used this way -- election vote counts were not disputed or mistrusted, banks employed security guards to prevent theft, junk mail was directed to "current resident."  For each problem, an expert was employed: election officials, security guards, the trash can.  Now, it takes a computer expert to solve all three of these problems!  Say there are 10 areas of expertise in the world.  One of them is computers.  Before this "information age" 1/10th of the people could be employed to solve any given problem.  Now there are only 1/10th of the entire population available to solve ALL of the problems.  This doesn't sound good.  It makes me want to go live as a hermit in a cabin in the middle of the woods.

The Internet and this "digital society" are very very complex systems.  They are not getting simpler.  In the future either everyone will need to become a computer security guru to survive -- either that or much of the population will have to place unconditional trust into the expert few for ID theft protection.  Only some of the experts are trustworthy; the others want your ID.  It is a noble effort to solve this problem while keeping computers in their currently heavy-use roles!  The current, unfortunate, direction of things seems to be a downward spiral into infinite complexity and obscurity.

honest spam

I like to see that spammers are finally being honest... I mean, it's obvious that most of the email I get is shit, but this one is actually labeled that way.

technorati tags:spam, honesty

is today monday?

What a crappy day... but at least it started well!  Happy birthday, Mom!

Last night when I wanted to take out my contacts, I realized I left my glasses in my little black canvas bag -- the same bag with my razor, deodorant, toothbrush, etc.  Normally, this wouldn't be a problem, but I failed to take the bag with me on my trip from Lafayette to Bloomington.  Luckily, I was able to squeeze an extra day of pit stick out of an old stick, scrounge up a spare toothbrush, and locate an extra contacts case.  

This morning, I had absolutely no motivation to wake up.  The weather was cool enough last night that I slept with the window open, and this morning my apartment smelled like a forest the morning after a rainstorm.

Bus driver was a jerk today.  I bought a tiny little espresso, and when I tried to board the bus to ride across campus, he asked what was in the cup.  I told him it was filled with delicious coffee.  He said I wasn't supposed to bring a cup like that onto the bus.  Nicely, I let him know that I wouldn't spill it -- and since the cup was tiny, I thought he'd assume it was not much liquid to spill anyway.  He continued arguing!  "I guarantee that if you drop that cup it will spill.  You're gonna have to put that cup in there," he pointed to the trash bin.  I harumphed and told him I'd rather walk.

To the bus driver:  I hope you enjoy your little victory.  I've been riding the same bus route for over a year and this is the only time a driver has kicked me off for a tightly-lidded coffee.  He may have his victory, but now I understand why the buses are always late: the drivers take extra time to argue with passengers.  Anyway, my walk took 20 minutes longer than usual due to some "construction" in the middle of campus.  And by construction, I mean fenced-off heaps of rubble being pushed around aimlessly by a track-hoe.

The department of education pushed my student loans into grace-period and then repayment status while I was in Oz, and I argued yesterday with the IU Registrar's Office about my full-time student status.  Apparently they think I was not even half-time in the spring, though the CS department seems to think I was full-time.  Now I have to somehow get the CS people to convince the Informatics people to convince the registrar that I was full-time.  Then I can get the registrar to tell that to DOE, and get my capitalized interest uncapitalized and my extra interest removed.

Blargh.

On a lighter note, the new Phishing Group website is up.  Writing that has been my entire life for the last two weeks.  Phew.

technorati tags:monday, DOE, student loans, bus driver, bastards, phishing

hot day

It was hot today (about 95°F) and some kids were fooling around in the fountain near my office at Purdue. I wanted to strip off most of my clothes and join them -- the water smelled really nice. The scent reminded me of a water park I used to attend with my parents when I was young. Alas, I have too much to do, so I settled for a picture instead of a run through. Anyhow, I think the air conditioning in my office would freeze me if I were wet.

technorati tags:hot, fountain, Purdue University

sofa bricks

Wow, this is really cool. I can think of a ton of things to do with "sofa bricks" -- these cushy little building blocks. As a kid who played with legos, I think they would be a great for wasting time while trying to think of a new thing to do with them.

( Link )

back to reality

Well, after lots and lots of travel, I made it back to the USA.  Right now I'm sitting in a cafe in Madison, catching up.  It's good to be back home where things feel right, people drive on the right side of the road, soft drinks are cheap, drip coffee is common (bleah), and the money is green.

On the way back, my travels took me on a train to the Sydney airport, on a plane to Los Angeles, another plane (late by 2.5 hours) to Chicago, and then a car to Milwaukee then Madison.  When I landed in Chicago, two bad things happened; first, my plane was very late due to crew being late to show up.  Then, since we landed late, I missed my connecting flight to Madison.  

(9:30pm) As a result I tried to re-book for a later flight -- but the next possible flight was at 4pm a day later.  I decided to try and get put on the standby list for the 12am flight to Madison -- and to do that I had to walk CLEAR across the Chicago O'Hare airport to the gate... both the shuttle bus and train were broken.

(10:10pm) When I got there, the nice lady informed me that there was no way in hell I would make the flight, and that I should think about taking the bus that goes to Madison at 11pm.  So I made a call to United using a service phone (after using the nice desk-worker's cell phone to call RAM and arrange a car ride from a friend).  The nice folks on the other end of the line informed me that they could not cancel my ticket over the phone, I would have to speak to someone at the service desk.  So I walked to the nearest service desk, and got in a line that extended way down the corridor.

(10:50pm) Still in line, waiting, talking to some other nice folks.  United begins cancelling flights due to weather and a surplus of baggage they will have to send to other airports.  The line grows immensely.

(11:20pm) Finally talk to a service rep who says he can't refund the flight since it's bound to the LAX->Chicago flight.  I ask him for a travel discount or free flight voucher.  He gives me a $50 discount voucher for my next United flight.

(11:40pm) Arrive at bag claim looking for my Milwaukee friend.  I think I spot my luggage sitting by one of the claims, but I was told to get it in Madison  on the following day, so I give up the search and head for the toilet to take care of what pressure built up during the last 4 hours instead.

(11:45pm) Find my friend, get in a car, go to his house.  We arrive a bit after 1 and I hit the sack.

(1:00pm) We leave for Madison the next day, and head to downtown where, at 3:30pm, I meet up with RAM and finally see her!  Yay!  I pick up my new cell phone (email me if you want the number) and then my pal and I go to pick up my bags.

(4:20pm) I easily find my bags.  The Madison airport has been overhauled, and looks beautiful now!

(5:30pm) I finally change into clean clothes at the hotel and clean up.

The rest is history.  I have a good sleep, and then today I'm tooling around downtown Madison looking for trouble.  My throat is sore and I think I'm getting a cold, but other than that, things are back to normal.

technorati tags:travel, home, United Airlines sucks

suing myspace

A 14-year-old Travis County girl who said she was sexually assaulted by a Buda man she met on MySpace.com sued the popular social networking site Monday for $30 million, claiming that it fails to protect minors from adult sexual predators.The lawsuit claims that the Web site does not require users to verify their age and calls the security measures aimed at preventing strangers from contacting users younger than 16 "utterly ineffective."

Teen, mom sue MySpace.com for $30 million

Wow.  What is the world coming to?  I thought we got over the sue-happy days when it was a good idea to take a bite out of McDonalds to recover from stupidly spilling coffee on yourself.

I believe that people are responsible for what information we put on the Internet.  That means that the parents need to teach their kids about the dangers of the 'net, just like saying "don't take candy from a stranger."  Parents: I highly recommend finding out who that boy is that your daughter is cruising around with -- and maybe even find out where she met him.

Hell, she could have posted her address and phone number on an unmoderated Geocities webpage or on a Usenet news group!  A reaction to the news article:

By Stav June 20, 2006 09:20 PM

‘“None of this has to be true,” the lawsuit said.’ Why don’t you just sue the whole internet? “The internet does nothing to protect promiscuous teenage girls who give out their phone numbers to total strangers. You can lie about yourself!” eyeroll

Wow, you can LIE!  I didn't know that!  I have sixteen fingers on my left hand.  Where are the truth police?

technorati tags:lawsuit, stupid people, myspace

should they watch us?

"If you aren't doing anything wrong, what do you have to hide?"

Wired News: The Eternal Value of Privacy -- Bruce Schneier

Bush wants to allow NSA rights to perform wiretaps without subpoenas (Link), and a lot of people have a problem with the pro-wiretap argument above.  In his article, Schneier argues that there are good reasons to dislike these arbitrary wiretaps without being a criminal.

Further discussion on this article takes place in its comments, and on other blogs as well.  I found the discussion in the comments at Concurring Opinions quite interesting. (The article itself is well thought out).

"... I have three secrets. But I wander the yard in my nightgown and I don't care if the government listens to me gripe about my daughter in law. You could hear it, too, if you want.

I suppose I'm sort of unique in that my life is an open book, but still, why would the government care to look in my window? They're looking for specific stuff and if they think I'm that interesting, more power to them. You're probably not that interesting, either.

There's a bunch of "french engineers" however, down the street, who come and go, and sometimes they are different "french engineers." I'm thinking terrorists. I'd down with tapping their phones.

Posted by: annegb at May 24, 2006 11:40 AM"

Concurring Opinions: Is there a Good Response to the "Nothing to Hide" Argument?

The problem I have with the wiretapping is the automated or seemingly arbitrary "violation" detection.  Like the problems discussed with the no-fly list errors, similar things can easily happen with wiretaps.  I see this as more severe than, yet similar to the speed-trap cameras.  Some areas have automatic cameras that take photos of your car when you're speeding, then send it to the police.  You later get a ticket in the mail.  It's all automated -- and that's my gripe.  I usually don't exceed the speed limit (too much), but when I do there is usually a good reason.  Sometimes people need the more trivial laws overlooked to make life more tolerable.  Don't get me wrong, I'm not saying people should get away with murder, but we don't want to be living in a police state -- a society where law dictates everyone's behavior instead of protecting safety and liberty of its subjects.

One part of Schneier's article that hits home talks about how just the possibility can change how we live:

How many of us have paused during conversation in the past four-and-a-half years, suddenly aware that we might be eavesdropped on? [...] Maybe the topic was terrorism, or politics, or Islam. We stop suddenly, momentarily afraid that our words might be taken out of context, [...] But our demeanor has changed, and our words are subtly altered.

Back to the camera issue -- what if something is miscalibrated?  What else could they be doing with the camera?  Perhaps my state has a seatbelt law -- they might use similar cameras to take photos of my car and fine me if I'm not wearing a seatbelt.  What if the camera catches me on the cell phone? How far can they look in my car to find something wrong?  I'm sure if my life was scrutinized carefully, anyone could find something illegal. 

Wiretapping extends into peoples homes, which are traditionally considered off-limits to law enforcement unless they have a just cause (and subpoena) to peek.  Maybe I like to serve wine to my 16-year-old son with dinner.  Maybe I like to soak in my back-yard hot-tub naked.  These are liberties that I enjoy -- simple things like this make our country great -- and it could change if we let them scrutinize everything we do, finding out how each of us is a criminal.

technorati tags:privacy, wiretapping, policy

oss and bug liability

Glyn Moody writes about Bruce Schneier's Wired article discussing software vendor liability; Moody mentiones that if vendors carry bug liability it might scare open-source software developers out of existence.

I disagree... I think perhaps the legal liability would provide an exception for open-source vendors since you can look under the hood before you use the software. Not only that, but you can fix it yourself. On the other hand, when you buy a Microsoft product, you just have to trust that it will work as advertised.

(via Slashdot)

customer service

Due to a change in plans immediately following my return to the US, I needed to change my final destination in my return flight to Madison.

Anyway, not a big deal. I had called United Airlines yesterday to see what it would cost. I was quoted $150 fee plus the difference in the fare cost. Apparently I got a wicked discount on my flight from LA to Indianapolis when I bought the trans-pacific flight. Anyway, taxes and everything, I was quoted a reasonable cost yesterday.

Today I call again to make the purchase, and after a very short waiting period, Ian answers the phone. He seems nice enough. He says he has to check my fare rules before making changes, so I let him put me on hold. The two minutes he claimed turned into 10 minutes, then he came back on and apologized. He said that the fee change was $200 (not $150). Whatever. I asked him how much the flight would cost. Again he puts me on hold for "two minutes." Fifteen minutes he comes back and apologizes for the wait. Apparently a flight to Madison would cost an arm and a leg. I ask how much the total was, since I only pay the fare difference, not the whole thing. He gives me an outrageous number, so I ask for the value of this fare that we are replacing. "I have to check with my service director." He puts me on hold again.

I sat there and fiddled with the phone, getting angry, and I found a timer on the phone. We were 32 minutes into the call. He came back at 35:23 and apologized for the wait. He said my flight was worth $200 (I was quoted $150 yesterday) but all together it would be $416 plus any taxes. So naturally, I asked the magnitude of the taxes. "I have to check with my service director." The nasty refrain.

Strange thoughts started crossing my mind. Perhaps this service director was training him.

SD: "Now push the x button, and then F2. No, F2 not F and 2 at once."

Or maybe the service director was a game of solitaire.

He comes back at 46:12 and apologizes for the wait. He says it would cost $460 with taxes. This whole time his numbers seem rounded, so this is suspicious. I deliberate painfully on the phone with him for a while, trying to understand where the cost came from, then I ask him how much the taxes cost, "if it will take you less than 30 seconds." He mumbles a bit, then I say, "Why don't I just talk to your service director?" He says okay, and puts me back on hold.

At 51:37 he comes back and apologizes for the wait. I growl a bit under my breath. He says that due to the confusion about the rebooking fee ($200 today, $150 yesterday) they could give me the cheaper cost; would I like to buy it? I think for a while and say, "Yes, I would like to purchase this, but first can I talk to your service director? I have a question to ask." He reluctantly says okay and puts me back on hold.

I sit on hold for a while listening to the circus music, anticipating his return saying his boss is busy. Instead, an angry-sounding lady picks up the phone and very quickly introduces herself and states again they would give me the cheaper change fee. I say that's okay, and act pleasant to her. First, I enquire about the phone menu system. The menu was different today -- does she expect this? Perhaps something funny was going on. She says they have been doing menu work. Okay, so I express my concern about yesterday's quote and the SIGNIFICANT cost increase in less than 24 hours. The flight is not for more than a month, so fares should not start climbing so fast.

She asks if I'm flexible about times, and I say "yes, of course, if it's cheaper." So she finds the EXACT SAME FLIGHTS FROM YESTERDAY and quotes me THE EXACT SAME DOLLAR AMOUNTS FROM YESTERDAY including cents. I quickly agree to a 2-hour layover in Chicago to make the change for a reasonable cost including taxes. She was good: efficient and very good at understanding my needs and concerns. Only one thing she lacks: foresight to have taken over my call earlier after Ian came to her four times for help calculating taxes.

I had originally planned to bitch at her about how their operations were too clunky, since a price quote took almost an hour -- but when she came up with a decent price, and I could tell she knew how to run things, I blamed the call on Ian hoping he would choose a new career.

Strange thing: everyone sounded American at the other end of this Australian phone number. Yesterday, everyone (including the automated menu system) sounded Australian. The email confirmation I received later originated from a New Jersey IP address. Maybe the Aussies working for United have Friday off?

a tropical vacation

It's been nearly a week since my vacation finished, but I've got most of the pictures posted online so now I can talk about them.

Brisbane Skyline

RAM came to visit on the 7th of May, and we hung out where I'm living for a little while. Our residence threw a festival called the IFFF (International Food Fun Fair) where the residents from different countries get a chance to cook for everyone. It was pretty cool; there were 25 different countries represented, so we got some time to walk around and graze on the different foods. As concession for free entry, we worked for the India booth for a while (we are both so Indian), but since that booth had a surplus of help, we really did nothing but eat.


The real vacation started the next day when we went flew to Brisbane. I was scheduled to give a talk on the 9th at Queensland University of Technology, so we went a day early for exploring. There didn't seem to be a whole lot in that city, except a river and some gardens. It's not on the ocean, either, so they had to fashion a fake beach for people who like the sand and blue water.

Trinity Beach (one day of sun)

After my talk, catching up with one of RAM's old friends who studies there, and a day walking around Brisbane, we took off for Cairns (pronounced "cans"). For the most part, the weather there sucked. It was VERY windy and rainy and cloudy, except for one day that was very windy and sunny. We stayed on Trinity Beach, which caters mostly to self-contained apartments. We ended up in a family-run apartment building with a kitchen and grill and stuff -- it was nice to be able to cook for ourselves and save a few bucks. The meat we bought from a butcher tasted funny (seasonings), but the rest was great. I must say, the Great Barrier Reef is cool, as is most of the wildlife around northern Queensland.

Here's a synopsis of our stay:

Day 1: It's rainy. Visit downtown Cairns. Shop, that's all there is to do. Ate at a cool italian place where they bring the specials board to your table since there are too many to remember.

Day 2: Still rainy, go to Port Douglas, Daintree River. See a python, crocodiles, koalas, feed a cassowary.

Fish on the reef!

Day 3: Sunny! Very windy. No reef trip yet (too windy), so we go to the beach and then to an aborigine "learning park"-like thing.

Day 4: Rainy again, but last chance for a reef trip so we go. 2 meter swells in the sea, makes most of the people on the boat sick during the 2-hour trip to Michaelmas Cay. Reef is amazing (sunny!), we get a free upgrade to a better trip and free intro SCUBA dive because we pre-booked and nobody really wanted to go. Good food on the trip. I love motion sick pills.

Day 5: Check out of the apartment, go to Cairns and shop some more.

Then we flew back for some time in Wollongong and Sydney. More about that later.

pastabook

It's available! Finally, the gospel of the Flying Spaghetti Monster is out.

(Link)

Encrypting VoIP Calls

Encryption is good, or so we all believe, but it is not the complete fix for electronic wiretaps.

Zfone Encrypts VoIP Calls
Felton says: "Phil Zimmerman, who created the PGP encryption software, and faced a government investigation as a result, now offers a new program, Zfone, that provides end-to-end encryption of computer-to-computer (VoIP) phone calls, according to a story in yesterday’s New York Times. "

The article continues by discussing how the encryption scheme exchanges a secret key: using vocal communications. Felton raises an interesting point: encryption does nothing if spyware is installed on one of the computers -- the conversation could still be archived unencrypted without knowledge of the key.

oz update

Lets see, what's going on in my life...

Research, research, research.

RAM is coming to visit in two days! I'm so excited. We are going to visit the great barrier reef and spend some time on the beach. Sydney is on the agenda, and we plan to see a show of some sort at the Sydney Opera House.

I found an Italian barber today and got a great haircut. The old Italian guys (especially guys like this who have been chopping hair for 40 years) have the best technique. They whittle away at your head using only scissors. Makes for a great haircut.

I spent a little time training with a Chinese guy -- he was teaching me the art of ping-pong. I still suck, but I suck less.

I've been trying to re-learn piano. It's not working, since I never learned it in the first place.

Sunday is the International Food and Fun Fair at my residence. Groups cook different foods from different countries, and perhaps perform some cultural things. I've been recruited to help cook food for Indian and Spain (I don't know why). Hopefully, the Spanish and Indian people will tell me how to cook stuff.

tonga in trouble

An earthquake hit Tonga today, causing a tsunami warning -- though it turned out to be unnecessary. Apparently they have earthquakes frequently there (due to it's proximity to a fault) but it's still scary. Some friends of mine were in Tonga just a few weeks ago.

Mary Fonua says:

I was holding onto the bookcase and in fact, I'm standing in a pile of books now that have fallen on the floor. My son saved the X-Box but other things, you know, were falling off and we could hear the glasses breaking and the crockery shattering and the glasses singing, yes, it was quite an event.

I like to see her boy has his priorities straight.

bushwhacking

This is one of the funniest things I've seen in a long time. Bush and his inner thoughts. The real guy and a comedian saying what he's thinking.

Comedian: Here it comes. Nu-cle-ar Pro-lif-er-ation. Nu-cle-ar Pro-lif-er-ation
Bush: Nuc-eer Prolif-iation.
Comedian: Aright, aright, maintain. Stay cool. Let's give this a try: We must enhance non-compliance protocols sanctioned not only at IAEA formal sessions, but through intersessional contact.
Bush: We must enhance non-compliance protocols -- sanctioned not only at E-I-E-I-O formal sessions, but through intersexual conduct.
Comedian: Looks around and shrugs ... Nailed it!

But I think the best thing Bush said during the discourse was:

My friends, our purple mountains with ramparts' red glare, white with foam and justice for all fruity plains gallantly streaming, from sea to shining sea with a shining city on a shining hill above a shining prairie, and maybe some shiny trees and a few shrubs -- I see a shiny America!

(Link to coverage by Canada.com)
(Link to the whole thing on YouTube)

annoying people

I don't know why, but people have been annoying me a lot recently. First, a guy I go to the gym with keeps pressuring me to spar with him (I don't enjoy fighting). Second, I go to bed early after telling many many people how tired I am, and someone comes by an hour later and wakes me up. He even said "Did I wake you? because J said you might be sleeping..." Later, probably midnight, one of my roommates comes running down the hall and says at the top of his lungs "What's up Dude!?" Another roommate then proceeds to knock on my door and call out "Seed?" (His accent makes my name sound like a baby plant). These roommates of mine are normally quiet and subdued...

This morning, my exceptionally cheerful office-mate comes walking in humming and whistling "Rudolph the Red-Nosed Reindeer." (For those of you who don't know, whistling is probably the public behavior that annoys me the most.) He then proceeds to close the blinds on our window -- my only escape to the outside world.

I need to calm down. Where's my coffee?

deep in the castle

deep in the castle
Originally uploaded by sidstamm.

I've been meaning to post this for a while, but I just got the pictures. Two weekends ago (8-April) a bunch of us went to the beach to make sandcastles again. Pics are posted on Flickr, but not organized due to my lack of a pro account. If anyone would like to buy me a pro account, I can organize (and upload bigger pics). :)


Update: Thanks Palila for upgrading me to Flickr Pro!!! I'm going to try to upload more photos now.

canberra

On Friday, I played hooky and went to Canberra with a group tour from the University. In an effort to get picked up at 6:30am from where I live and not from the university (which would be a forty minute walk), I organized six people. It was a fun group. We hopped the bus and then proceeded to the university where the other 100 participants were waiting.

The ride to Canberra was about 3 hours, and a very lazy ride since we were all sleepy. I fell asleep and missed a few kangaroo sightings, but woke in time for tea. We stopped about two hours into the journey, and the group leaders pulled out hot water, cups, cookies, tea and instant coffee. It was a nice treat, especially since it was pretty cold (about 9°C / 48°F) where we stopped. We had all been spoiled by the nice weather in Wollongong, which has not yet dipped below 15°C / 60°F. When we left, it was a balmy 20°C / 68°F.


We first stopped at Cockington Green Gardens. This was a place with little miniature buildings surrounded with gardens. It was quite nice, except for the chilly wind, clouds and occasional rain. Check out the rest of the photos in the set (click the image) to see more photos of the gardens.

Our next stop was the ever-important Parliament House. This exquisite building had floors and walls and pillars of black, white and pink marble. It was absolutely beautiful and modern. Connected by glass hallways, the many buildings (House, Senate, Reception, etc) were very modern -- being completed in 1988. Our tour guide gave us a few interesting facts:

• There are 4700 rooms


• It cost $1.1 Billion ($70/resident of Australia)


• There are 2700 clocks


• The black marble contains marine fossils

The building was awesome, and I would like to go back and see the House in session. I hear it's a lot of fun to watch. All I know is that the seats in the meeting rooms are very very comfortable. It's also a museum -- there were many neat artifacts and paintings there. There was a 1297 hand-written copy of the Magna Carta just sitting in a glass case. It was amazing -- there are only four copies like it in the world.

Leaving Parliament, I noticed a strange looking colorful building across the lake. I thought perhaps it was a theater or art gallery. When we pulled up at the building ten minutes later, I realized it was the National Museum where we would be having lunch. The building is very cool.


The only thing that confuses me about the building is the braille on the outside of the building. It is HUGE and high-up. I don't think blind people could read it. It's not like normal letters -- when you make it bigger, braille is not readable from a great distance! I am imagining a bunch of blind people crawling on the building's walls reading them. It did look very cool though.

We ate lunch there, throwing food to the seagulls, watching them squawk and fight over leftover bread crusts and chips, then had 15 minutes to explore the exhibits. Pathetic. We piled into a rotating theater called Cirque, which gave us a very post-modernist view of the museum. There were three screens, each with submersive video (ambient lights flashing and colored according to the video) and one of the screens had three smaller screens that moved around on it. It was fun. Then we had to leave. I want to go back.


Finally, we stopped at Telstra Tower. This tower is on a mountain in Canberra, and overlooks the entire city. From there we were able to see the whole city, and climb to a lookout platform 870m above sea-level. It was windy up there! The views were fantastic, and many people enjoyed overpriced iced cream and souvenirs from the shop at the top. The whole time we were there, I was disappointed that we didn't spend more time at the Museum instead. I find that stuff more fascinating, though the view was pretty cool.

On our way back, we drove past the War Memorial, which is an awesome sight even as driving past. There are beautiful memorial sculptures for each war, and then a big hall visible from the road, or even from the Parliament House. Yet another thing I want to go back and see. Somehow I have to rationalize going back.

The bus ride on the way back was fun. We saw a lot of kangaroos in the fields along side of the road. They behave a lot like deer, except they bounce a lot higher. When it got dark, the French people in the back of the bus started belting out their national anthem (La Marseillaise), then a German guy, then they got me to sing ours. I can't sing well on demand like that, especially a song with a big range, but I did my best. Next we tried to get a Chinese guy to sing his anthem, but he was too quiet. After much discussion, the German guy convinced the bus driver to allow use of the intercom. The next 30 minutes involved singing of many anthems (France, Germany, USA, China, Japan, Colombia, Australia, Indonesia) and attempts at convincing others.

We made one stop on the way back for toilets and foreign food (McDonalds). The 100-some people completely filled the restaurant, which to my surprise was able to serve everyone in about 10 minutes. Good job guys. The McDonalds menus here are much better than those in the US -- there are healthy sandwiches on the menu! And a large is only about 20oz, versus the huge tub 'o coke you get in the US. Finally, and the best part, is the McCafé. They serve espresso in McDonalds here. Yum.

The trip was good, but I want to go back. Canberra houses the history of the nation and many very interesting sights. Anyone up for a trip?

evil network

Today, silently while I worked, the system administrators turned off all the external network ports and broke the web proxy server. Instantly I was cut off from all the marvelous things I was doing, including a literature search.

I have two complaints:

1. Notify your users before you change the network. No matter what you're doing. It may affect them.


2. Notify your users who they can call for support in case of an outage. Everyone I talked to said "yeah it sucks, but it's not my problem."

Bite me admins. At least I still have HTTP access. Anyone willing to put up an http tunnel for me?

nethash nastiness

Reading through one of the usual crypto news sources, I came across something that seems to be a joke: a web service that provides a cryptographic hash of the entire internet. There's also a funny web-site validator that tells you whether or not a site is on the web. I'm guessing it's a joke since it was registered on 28-March -- just in time for April Fool's day.

The Internet Hash Project

Curious how it worked, I looked at the source code of the page. Cleverly, the page uses AJAX to obtain the hash (and site-existence queries) from the server. An even closer look at the code revealed a particularly interesting source-code comment (warning: may disturb. Link.) (For more information on goatse silliness, see this page.)

clustermap

I get so few comments on my blog, I just assumed nobody reads it. To verify this, I installed a neat little web counter mapping thing.

Contrary to my belief, I've attracted some visits from interesting places. Leave me a note if you're from an interesting place!

On a side-note, I'm lazy, so I just grabbed this from a free service (ClustrMaps). It's neat, but I don't know details about my visitors. Maybe if I get bored I'll write my own. It would be nice to know the user-agents (i.e. to find out how many of these are just spiders).

sap, drm, and other tla's

Microsoft has been working on this Secure Audio Path thing that they plan to put in Vista (when it finally gets released). This is interesting since they are building Digital Rights Management (DRM) capabilities into the kernel. What does this mean?

• Media providers may have to use the DRM system that Microsoft provides, since it has to be built into the kernel. If Microsoft lets people build their own DRM components, then there is the issue of misbehaving components and buggy kernel libraries.


• If you look at the diagram, the sound card driver is given full access to unencrypted data. This means that one could write a misbehaving third-party driver to capture streams. The SAP designers get around this by forcing the driver to be authenticated (see diagram). The DRM component is not "authenticated" though.


• The decryption now happens in the kernel. Let's hope that the decryption module is not buggy -- especially if Microsoft lets vendors write their own kernel modules for DRM. Not only could the player program crash, but this could cause the whole system to go down.

Will this protect DRM media from being copied? I doubt it. Academics (or benevolent hackers) will publish instructions on how to subvert all of this, then the script kiddies will pick up the proof-of-concept software to scrape the streams. I think the only way this can "solidify" enforcement of DRM is with ALL pieces in kernel mode being "authenticated" (proven safe by signature and cert. authority) or no DRM decryption should work. The problem with this is that the CA (probably a Microsoft database protected from subversion with Trusted Computing hardware) will have control over which modules are authorized -- essentially control over which flavors of DRM get to be used.


Is DRM really the right approach to protect artists' and publishers' copyright? Is this protected audio path a good idea? I don't know a whole lot about SAP (just reading the whitepapers for the first time), so I welcome others' opinions...

broken movielinks

I went to AOL's movie download thing (MovieFone) because I heard they had started selling movies for download! The prices are kinda high (US$3.95) since I think they are one-time view licenses. Nonetheless, I wasn't sure, so I clicked the "Learn how Movielink works" link in the middle of the page. Next, because I am in Australia, I was redirected to a "Screw You" page. I can't even read how it works?! Restricting geographical access to movies is a legitimate plan, but I just want to learn how it works. Lame. Could someone in the states send me the content on their "how it works" page?

(Link to screengrab of error)

Update (10-Apr): Thanks for the page grab, Jacob. (PDF 174k)

popular

Last Friday, a reporter randomly walked up to me and asked if she could ask me a question. "What is the most fascinating thing about your studies?" Naturally, I answered and she took my photo then left. Now I'm in the newspaper. Woohoo. Now if she had just read my name properly off my student id.....

violet crumble

violet crumble
Originally uploaded by sidstamm.

It's tasty, but not as good as Aydrian says. Really. You can get "Angelfood Candy" in the US that tastes the same and costs much less. Here's how you make it.

enter the sand castle

entering the sand castle
Originally uploaded by sidstamm.

On Sunday, a couple of friends and I went to the beach. I played around in the surf, used a pal's boogie board, and got thorougly thrown around by the strong waves. At one point, I got hit by a breaking wave that took all my control -- I decided to go limp and let it carry me to the beach. The sensation made me feel like a jellyfish.


Anyhow, we built a sand castle -- the best one ever, I might add. It is called the castle "Caselu" (カセル) in light of our attempts at drawing Hiragana in the sand. (Only one of us could write Japanese, and she is an expert).



Link to more photos of the engineering feat.

Link to all my Australia photos.

coffee grounds sold

The Coffee Grounds, the best coffee shop ever, was sold on Tuesday, 7 March. I used to do a good chunk of creative writing, coffee drinking, hanging out, and homework in this place. Now that I'm no longer in the 'Haute, I miss it dearly, and am glad to know that the new owners do not intend to change it.

(Link to Article)

sydney trip 1

I went to Sydney today to see The Amazing Human Body exhibit. This German guy has a way of preserving bodies with plastic, much like petrification. He's dissected and preserved a whole bunch of people to show the general public how the body works and what disease does to your organs.

It was a pretty neat exhibit, though not as educational as I had hoped. Mostly it was showing off the guy's ability to turn veins, nerves, and bones into plastic -- though it was well worth the money. Since it was hosted in Sydney Olympic Park, I got to see that awesome sports venue. There are some very neat buildings there. It's a beautiful campus.

Afterwards, we hopped a train to do some shopping -- one of our group wanted to buy some beer cozies. Downtown, we emerged in a mall and people swarmed all around us. Finding two food courts, we surveyed one, decided it was costly, and went to the other where we found some good pasta meals for $5. I was impressed at the quality for the cost. It was not Fazolis.

For dessert, I had a crêpe. Mmmm. With cinnamon and sugar. Mmmm. And they made it fresh for me. Mmmm. With lots of butter. Mmmm.

We shopped, grabbed the train, and came back. It was a good day, but I am exhausted... not because I exerted myself, mostly because I get exhausted after spending time in public places swarming with people.

golden rule

Tonight the suite I'm living in was invited to a "formal dinner" with the guy who runs the accommodations. We, along with about 25 other people, enjoyed better food than the usual dining hall food (which really isn't that bad). Additionally, the guy who runs the place gave a short speech telling us how to behave.

He talked about the book "Everything I Need to Know I Learned in Kindergarten." After telling a few mildly amusing anecdotes and reading from the book, he gave us life lessons. You could tell he was looking for laughter, but the students were not amused. He talked about appreciating the multi-cultural environment we have. I am for sure in one of those (living with people from all over) but for the most part, our accommodation complex is mostly white Aussies and Yanks.

He said we should first and foremost take heed to the golden rule -- then went on to explain that the rule expressed the need for "love and sanitation." I don't remember "sanitation" being part of that rule, but apparently he thinks we're all dirty.

social weekend

This weekend was mostly a social one. I spent a little alone time walking into Wollongong and walking back up the beach -- that was nice. I saw some humongous pelicans. They must've been person-sized (I saw someone walk up to them), and their long necks made them look even bigger. Later on, I was sitting at a cafe trying desperately to eavesdrop on a political discussion a few Aussies were having. I heard one of them say "the problem with Americans is..." then he trailed off. Never did learn the problem, though if I had, they would have had a fourth discussant and perhaps an argument on their hands.

Friday night was fun watching people walk around incredibly plastered. St. Patrick's day is one of those western-culture drinking days -- I can't really think of any others except maybe Mardi Gras. I attended a couple of parties; one of them was great because we represented most of the globe: Japan, US, Australia, Bangladesh, China, Malaysia, India, Ireland, France, Germany, UAE, Lebanon,Colombia, Kenya, etc.

Saturday was fun too, another party (a birthday party for a guy whose birthday was in January). I won a limbo contest. Who knew I could bend that way.

I should do something exciting next weekend. Maybe I will tool around Sydney.

gap

Based on my lack of recent blogging activity, it may seem I've disappeared... not so. I've been doing research and relaxing on the weekends. Here are the highlights:

• bought a french press so I can make coffee


• installed Gentoo Linux on my work computer... actually, I'm still doing that.


• met a bunch of grad students

up the mountain

Today I embarked on a long adventure that came with free foot blisters. I know I sound cynical, but I really enjoyed it.

I woke up really early to catch the sunrise on the beach today (it rose at 6:50am). I got to the beach in time, but there were clouds blanketing the sky so I saw no sun, just a bit of a glow coming from behind the clouds. I kicked a bit of sand in disgust and thought, I got up for this? Then it occurred to me that clouds might make a trip up the mountain a bit more pleasant, so I set off towards it.

First let me explain about the path I need to take if I want to walk to campus, which is directly west of me. I have two choices. My first choice is to go south past a boring industrial area forever in the beating sun, cross 2 highways, cross the railroad, go north, take a bridge back over one of the highways, go north through 3 roundabouts, then walk into campus. My second choice is to go one block north, walk west across the highway and the tracks all at once via bridge, walk south for EVER, turn right, cut through the Illawara Institute's campus, walk around an oval (like a football field for cricket), cross a busy street, walk into campus. Both take about 40 minutes. Neither are attractive. This morning, I chose to go the north-first route. When I got to the campus I had to cut through, the gate was locked and so I was deftly turned away. I retreated to a McDonalds I had passed earlier, and grabbed a very big latte (yeah, McCafe). I backtracked a bit and took a very long detour *around* the Illawara campus, through some random residential community and then finally arrived at the office. There are five sets of doors I can go into to access our office. Only one of them works with my key, of course, and it is the fifth one I try. Additionally, one of my keys (they gave me three) gets me in that door, in the suite door, and into my office. I have no clue what the others (or the RFID card they gave me) is for... none of those worked.

Anyhow, I took a breather at campus, then began the trek to the Mount Kiera trails. In order to get to the official trails, I took a 2km trail up a steep embankment. It was a pleasant walk, complete with stairs and peoples' backyards. Finally, my easy-to-follow trail ended at some gravel service road that went left and right. Left was down, right was up, so naturally I went right -- and after 200m, it started going down... and kept going down... so I went back and took the left path which led me to the park entrance.

Once there, I watched a couple of older women (probably in their sixties) deliberating about which trail to take. The women went off in one direction, and I thought I would take the other one so I could have a nice quiet walk. I did, and it was beautiful. Along the way, there were many different plants that were fascinating, a few dripping rocks, lots of ups and downs, and it ended at a road. I looked left and right then crossed. There I saw a sign for a trail I had seen on the map: this one should lead me to the top! I looked around by the sign, but could not find a trail. Behind the sign was a vast field of ferns (about armpit high) and after staring for a while a slight indentation in the foliage showed up; sure enough, the sign had a little yellow arrow pointing right at the dent. I shrugged and plowed into the field. So I guess that the trails here are not really trails -- they are just suggestions. "You might want to go some way in this direction" arrows, which eventually, beyond the ferns and back in the woods, turned into white dots. Dots don't point. I had to follow a long series of connect-the-dots scanning all the big trees for white paint in hopes I would be able to somehow meander to the top.

Hot footed, I finally popped through the forest and saw the valley. Amazing. And all this view from a rock that ... holy crap. There was nothing on the other side of the rock, just a sheer 100m drop. I backed off and soaked up the view, surprised that nobody else had stopped here. Maybe they were scared of wind -- rightfully so. I sat and ate lunch (an old soggy leftover sandwich that in hunger tasted amazing), and decided that this would be called My Favorite Spot™. I would eat lunch here again. It was quiet -- birds chirped, leaves fell off the trees every once in a while -- the wind must've been broken by the other mountains and trees. Quite serene.

Finished with lunch, I backed through a massive spiderweb and freaked out for a moment. Once that had cleared, even though every tingle on my body was greeted as an indication that a redback might be looking for a nice juicy chunk of flesh to sink its jaws, or whatever it has, into. My freaking out stopped a few hundred meters later when a few noisy people passed me. They smelled like cigarette smoke -- that means one of two things: they are hard-core climbers, or there was an easier way to get to this spot. Quickly I found out (as I soon passed a woman with a baby in a stroller) that you can drive all the way to the top and then walk down as far as you want.

Lame. Oh well, I don't have a car anyway.

In fact, I met up with the two ladies I had seen down near the "bottom" of the trails. Let me stop here briefly to rant about how damn lazy Americans are. In the US you would never find two ladies of their age and build, who were talking about yesterday's nice tea and how well Evelyn looked, all the while climbing over huge boulders and up and down steep moss-covered sandy slopes. No way. These people are hardcore over here.

When I did eventually get to the top, my legs were worn (from a bit of pretty serious rock hopping I had to do) and I sat in a nice wooden bench on a tiled and railed terrace and enjoyed the view. After a short breather, I walked into a cafe (that was setting up for some wedding -- very nice) and ordered a white coffee for takeaway. I love this country: coffee doesn't suck. I haven't found a place to get drip coffee yet. Either places don't serve it, or they have an espresso machine that they use to make a long black (espresso+water), flat white (espresso+milk) or any other Starbucks-sounding beverages you can imagine. Hell, even McDonalds will make you a cappuccino.

I sat and drank my coffee out of a paper mug with neat little paper-folded mug ring (like the cheap kind you'd get at a really bad gas station) and although the espresso was not that good, the coffee still tasted great. I looked around and decided that I was enjoying the best view of any other spectators. I had walked from the very bottom. I had conquered this mountain (and much of the town on my way to campus). With that, I left.

The way back down was much faster, so I will not belabor this monologue any more than I need to, but I should add that it entailed the discovery of a few geckos that I thought were snakes, the discovery of a yellow flower that made the forest smell VERY GOOD, and an event with a very stubborn bug and my tonsils.

As I was plodding down a hill, I must have been halfway down one of the paths, and I left my mouth open at just the wrong time because something large and moving ended up affixed solidly to one of my tonsils. After long fits of coughing (usually bugs will come back out) it moved to the back of my tongue. I started to worry a bit since there are so many deadly insects in this country, and I had just swallowed what might very well be a tick infested with Lyme's disease. My nose started running furiously, probably as some reflex to a stubborn foreign particle that won't move out of my mouth with all the coughing. I gargled a few times with water I had brought with, but the bug stayed latched on.

At this point I had accepted the fact that I may very well need a pair of long tweezers to detach the bug, and perhaps lots of medication to cure me of whatever the bug infects me with -- venom or disease. The whole time I'm coughing and spitting and gargling (making an enormous racket), I'm walking down the trail towards a road. I figured that if my throat starts closing or my vision goes fuzzy, I could collapse along the road and hope for a car to pick me up.

The bug must've crawled further down my tongue, because my gag reflexes started kicking in. More gargling and spitting and coughing, but the bug was hanging on for dear life. If it was a tick, its head must be buried deep in my tongue by now. My thoughts flashed to an ad for a tick remover I had seen in the Sky Mall magazine on the plane. There was no way that remover device was going to reach all the way back to my throat. Anyway, I decided that it can't do much more harm in my stomach than it is in the back of my throat (what with acid down there), so I decided to force it down. First I tried to wash it with a tide of water, but that did nothing, so between coughing and gagging fits I pulled an apple from my backpack and went to town. Seemed to do the trick -- after about fifteen minutes of hacking, the apple was soothing my throat, or so I thought. Once I had decided everything was fine, the bug feeling came back. I coughed a few times and it wiggled loose, so I spit it out. Very small little beetle thing; not a tick, longer and thinner -- pretty nondescript. I think I will call this species the "esophogus clingica" beetle.

The rest of my walk was uneventful, except I got lost trying to take the south route home. I ended up almost all the way down to Wollongong (5km from home) before I realized how lost I was. Blister-footed, I stumbled into my room at three and took off my shoes. Beach. Beach was all I could think of. I took out my huge towel, slapped on some sunscreen, and went to the beach. If my feet were killing me after almost 20 miles of walking today, another 5 minutes would not make them much worse. I laid on the beach for a while, walked in the surf, got in a good mood, then came back and went to eat.

Looking back on my mountain journey, I have decided a few things: my memory card in my camera filled up on 48 pictures. Most of them are low quality (640x480), and an 8mb flash card just isn't cutting it. My camera sucks too because it is slow and has no zoom. I should just get a new one. Anyhow, you can see all of today's pictures by clicking on any of the photos in this post, or by clicking this Link.