log (2000/08/11 to 2000/08/17)

older log
newer log

reply
about
archive
search

home
words
site news
gLog
linkwatcher


What are you doing?
Wednesday, August 16, 2000  permanent URL for this entry

Those Wacky Unix Filenames! From Wired 8.09, September 2000, page 230:

For example, even novice Internet users are often required to type Unix file specifications such as http:// -- hardly a standard for ease of use.

Blame it all on the inventor of Unix, Tim Berners-Lee.

Making the rounds: Last chance to Buy a VAX!

Keith Dawson writes that he has also been following the political Web severs meme; see this recent TBTF entry. See the TBTF blog in general, for that matter; it's a good one.

What are you doing?

planning my next drug binge

nothing at all

Thinking about the significance of the percentage of men who wear a mustache.

This is weird, but honest: I'm in my office at home after having traveled from Newark to f*ing Minneapolis for a 90 minute meeting...typed in your log's URL then turn to the left where my dog is sniffing in the corner and I say, quietly because we have guests sleeping on the futon in the living room and the dog had nudged open the door to my office, What are you doing? As she comes over to me, somewhat sheepishly, I turn to see your page, What are you doing?

Cue the scary music! And more generally and at some length:

France battles to repel maurading pigs. Film at eleven.

OK, so, look - I finally have something positive, something downright optimistic to say about our overly-technological future. In the past, I laid awake at night, staring at the grey ceiling, trying to figure out how we will all survive in a world in which there are trillions of sensors (many of them seeing and hearing us), all of which are on the Net all the time, watching us, listening to us, digesting our lives and offering our secrets up for the Unwashed Billions to see and hear. Privacy? Clearly an artifact of the last millineum, I figured, gesticulating at the ceiling. Get over it! But now, I am more relaxed. I am, perhaps, even sanguine. What happened, you ask? What was my epipheny? Big Brother. No, not the Orwellian presence, but the really sappy Reality TV show that's on in America right now, in which a dozen or so mostly twenty-somethings live together for a few months in a house where their every move, their every whisper, is recorded, subsequently to be edited, spliced together with fancy titles and commercials, and broadcast on some TV channel or other. And the astonishing thing to me - the thing that makes me smile, makes me relax about all of this - is that Big Brother is absolutely, undeniably, fantastically boring. I mean, I just don't care about these people. They are insipid, their minds small, their relationships meaningless. Even the heavily edited version that gets on TV - presumably the very most scintillating highlights - is dull, dull, dull. And what gives me hope is that these people are not selected for their inherent dullness. They are Normal People. Dare I say it? They are much like you and I. The vast majority of the six billion of us lead lives that are almost overwhelmingly dull. Oh, sure, I have my occasional shocking outbursts, my favorite deviant behaviors. But really! Compared to the other six billion of you? I am dull! Really dull! So dull that (those who have fallen asleep in this diatribe might usefully stir to partial consciousness at this point) NOBODY CARES! Even if my whole life was on the Web, no one would click on it. It's just too painfully tedious. So here's my bold prediction for the day. In the near future, we will all live in the Big Brother house. We will all be monitored, in all our marvelous triviality, 24x7, and you know what? No one will watch.

Or at least not all the time...   *8)


Tuesday, August 15, 2000  permanent URL for this entry

What are you doing?

Trying to come up with a better way to live.

Wondering whether "equally silent" implies that one could be more silent.

I somehow neglected the Reform Party yesterday. Of course there are two of them! Note the very significant differences...

reformparty.org Apache/1.3.2 (Unix)
buchananreform.org Microsoft-IIS/4.0

Long ago when I looked at some of the Web pages of the pre-primary candidates I mentioned the Secret Messages hidden on the Gore page. There're still Secret Messages there (messages, that is, in comments in the HTML source), and to Gore's credit they no longer have the clueless misuse of the phrase "open source" that they did then. Here's what it says now:

Thanks for checking out our source code! I plan to use this space to post special messages to those who are helping to improve our web site -- by making our site the best it can be. The fact that you are peeking behind the scenes at our site means you can make an important difference to this Internet effort. I'm grateful for your help and support in this campaign. Now let's keep working to build the 21st Century of our dreams!

Al Gore

Ian has revealed our secret plans to force politicians to display contributor logos on their clothing, so I will hint at some of the other schemes concocted at that soon-to-be-famous lunch: most of us resent the fact that politicians are controlled by the rich, who can afford to pay lots of money to get them to do certain major things. What if that were democratized, and you could pay a little money to get them to do minor things? And what if you could do it on the Web? Revolutionary, eh?

Least interesting domain name of the day: fedworld.gov. On the other hand, I think it's cool that you can download the entire US Code from the Web. Not to mention the homepage of the Epsom Salt Council!

Is your skin rough and bumpy from hiding under layers all winter? Epsom Salt is an excellent skin exfoliator. Super model Stephanie Seymour is quoted as saying she uses it from head to toe.

The irrepressable Georgi Guninski has found yet another hole in IE, or actually in Windows when it uses IE to show you a folder as if it were a Web page. In other computer security news, someone has found a buffer overrun in a Gopher server; now that's nostalgia!

Gnome seems to be Linux GUI of the Moment. The Linux users hereabouts have been known to say less-than-complimentary things about it; apparently it's all too much like Windows. On the other hand this is probably a religious issue, and I should stay out of it...

Here's a page with some numbers on it!

Unicode domain names! Run away, run away!

A new issue of Crypto-Gram is out, and it has all sorts of interesting stuff, including some discussion of parser-mismatch issues of the kind that I ranted about the other day. Unicode interpretation is another obvious area for bugs, one that I didn't mention. Crypto-Gram reader letters make the case quite strongly for using the same code for security parsing and doing-stuff parsing.

The new Crypto-Gram also has a large number of links that look worth following up (the News section in particular), and some nuggets of wisdom on security and viruses and vulnerabilities and stuff, including:

It's not enough to release a patch. The press often gets this wrong. They think the sequence is: vulnerability publicized, patch released, security restored. In reality, it doesn't work that way. You don't regain security until you install the patch. Even though both of these vulnerabilities have been patched, I predict attack tools that use them.

Writing a virus to exploit a vulnerability is a bad idea, even if the goal of that virus is to close that vulnerability. Viruses, by their very nature, spread in a chaotic and unchecked manner; good system administration is anything but.

Words to live by!

This guy walks into a bar -- bounces right off.


Monday, August 14, 2000  permanent URL for this entry

Lots of rain and lightning and thunder here at the moment; what fun! If you're indoors, at least. Or if you like being out in storms.

A view from the Esplanade during these events would show two thirds of the city battening down their camps, attempting to hold together their violently shaking shade structures with their hands, while the remaining third strolled the avenues, oblivious to the howling winds and swirling dust.

That's from this interesting page of Burning Man stories. I daydream about going to Burning Man someday; ideally as, say, a LampLighter. Cool robes, prestigious volunteer do-gooder position, lotsa bizarre people doing strange things. Heaven!

Speaking of party platforms, there's a note going around about the Web server "platforms" that the major candidates' sites are using, so I poked around a little bit at the parties. Here's a Table:

gop.org Microsoft-IIS/4.0
democrats.org Netscape-Enterprise/2.01
lp.org Apache/1.3.12
greenparty.org Apache/1.3.4 (Unix)
infoshop.org
(anarchists)
Apache/1.3.12 (FreeBSD) PHP/3.0.15

which makes almost amazingly perfect sense. It's also interesting to note the difference between democrats.org and this:

gore2000.org Apache/1.3.12 (Unix) PHP/4.0.1pl2 secured_by_Raven/1.5.1

What are you doing? A reader writes:

sitting on a towel in the kitchen enjoying a dish of ice cream, having just gotten out of the hot tub, after a day at the local clothing-optional beach... a little slice of heaven

We in the rain envy you. Swinging back to politics, we have:

Back in the Nixon era, his detractors referred to CREP (the "Committee to Re-Elect the President") as "Creep". Am I the only one who pronounces DNC as "Dunce"?

From the same sebbo that gave us the Burning Man stories above, two sad links about the Democratic Party: Democratic Congresswoman bravely defies prudish Party spin-doctors, refuses to move fundraiser out of Playboy mansion, followed shortly by Democratic Congresswoman buckles to pressure, changes her mind.

Do right-thinking enlightened people (like my readers) think that the Playboy mansion is in fact a bad thing? As I recall from my youth (when I did in fact read the words in my Dad's Playboys up in the attic, as well as staring at the pictures), Playboy and Hefner have always been very forward-thinking in things like sex and freedom and equality and stuff. I mean, certainly Andrea Drowkin doesn't like them, but it seems to me that they are on Our Side, and pretty Enlightened. Just how sad is it that the Democratic Party feels it has to avoid associating with them (although of course they'll take their money), in the name of "family values"? Bluccch! Or am I reading all this wrong, and is Playboy in fact something Bad?



minihorse!

Seeing-eye horses! (From Barry Hayes)

Without comment, I merely repeat the tag line for a retrospective of the lives of famous rock stars on the Biography TV show: "Relive the times that no one can remember."

Remember to clean your teeth at least twice daily. I'm not that good and remembering and I'm probably going to lose a tooth over it - don't let it happen to you ! :-)

Ugh. Don't remind me. One of the great joys of writing a web server is learning all sorts of interesting trivia about how various file systems might interpret the strings you give them, and trying to guess how many web apps will be broken when you start filtering the quirk of the month.

Overheard on the street in New York. "Do you want to go see 'Julius Caesar' next week?" "Oh god, another Shakespeare play? I can never figure out what's going on in them." "Don't be silly. You know 'Julius Caesar.' He dies."

Regress as far as your axioms, then stop

I don't really want to just stop at my axioms, though. After all if some of your axioms are wrong, you're going to get to the wrong endpoint. So I want to examine my axioms, also, as a sort of ongoing thing. It's true that all I have to examine them against is my other axioms (and the evidence of my senses viewed through those axioms), and the conclusions that they lead me to. Which is sort of too bad, but also inevitable.

Click on the Email address below..and enter "More info" on the subject line and click the Send icon. We will send you complete information about this incredible device that will make you an instant Piano Player. It's truely amazing!

Truely.

The original "Napster Bad" web-cartoon is now a whole family of web cartoons (most of which are in really awful taste for at least a few seconds, so be warned), as well as a line of T-shirts. It's a cultural phenom!

And to end on a more serious note, No More Lies, by Arianna Huffington in a recent Salon.

It's a conclusion shared by an overwhelming majority of Americans: More than 70 percent are now in favor of treatment over incarceration for those convicted of nonviolent drug charges. And the media -- in a growing number of editorials, columns and news stories -- have begun to actually shine a light on the drug war's casualties and call for new policies.

Yet George W. Bush did not have one compassionate word to say on the subject beyond grandiloquently promising to "tear down that wall" that traps our citizens in "prison, addiction and despair." And you can bet that, come next week, Al Gore will be equally silent on the subject.


Saturday, August 12, 2000  permanent URL for this entry

I was sorta disappointed this morning when M had no particular reaction to the Monterey Jack cheese and banana omelette I made myself. I mean, I like cheese-and-banana omelettes for themselves of course. But apparently part of the whole cheese and banana omelette experience involves one's soulmate's disgusted and/or horrified and/or tolerantly amused attitude toward the dish.

Live and learn!


Friday, August 11, 2000  permanent URL for this entry

A loyal reader writes:

Why does davidchess.com so disregard its loyal readership? It used to be that our witty remarks appeared nearly daily, gracefully intertwined with davidchess' own thrust and parry. No longer! Instead they fall, splat, in a heap at the end of a slow logday, as if to punctuate their insignificance.

Have I been doing that? It's easy to fall into pernicious habits. In theory one should really throw everything away and start afresh (or start a fresh) every few months, just to get out of any ruts that might be developing. On the other hand, I kinda like ruts, the way the grass grows up on the edges, the little bits of dirt that break off and fall into the cracks when it's hot.

Another reader writes, along the same lines:

The greens, the air, it floats on the water like cheese. Moldy cheese, the kind used in salads in France, I hear... like lamps with broken bulbs plugged into potatos.

And a third reader sums it all up:

Zinc

Speaking yet again of party platforms, Abada Abada recently linked to this anarchist anti-platform:

But to tell the whole truth, the clownishness has its attractions. Where better than at these overexposed summit meetings of the office holders and their corporate patrons can we spotlight our repressive political system at its most phony and hypocritical - when "the people" choose "their" candidates for the highest political office in the State? Nowhere else is the myth of popular representation so clearly revealed than at these huge, hollow exercises in "democracy."

(Jessamyn of Abada Abada is also one of the brilliant minds behind take back vermont .com, a lovely bit of co-optation.)



bushgore

Reading: The Big Con. Deservedly a classic: easy reading, entertaining, informative, interestingly flavored. Might be all made up out of whole cloth for all I know, but it almost wouldn't matter. Expect more of a writeup when I finish it, if I remember.

Geegaw points to a few interesting security links, including this writeup of a "security in email" seminar with the eminent Richard Smith, and (in sharp contrast) Disney's Surf Swell Island. Do take a look at the latter (requires Flash and who knows what-all); then next time you need to show someone what the Web would be like if something like the Communications Decency Act were in force, you'll know where to go...

Speaking of computer security, I will talk shop for the rest of this entry by pasting in another, someone more technical, rant from my internal weblog. Uninterested readers can go play with the visual mantras for awhile instead.

Here's another nugget of security wisdom, somewhat more technical than the one the other day.

If A is defending B, A and B had better use the same parser!

In more detail, if one program is examining a datastream and filtering it or judging it or altering it to avoid having it cause bad effects in some other program, there will be significant bugs unless the two programs use exactly the same parser (same code, same version, etc.). And if the judging program is a security program, there'll be security bugs that opens the system to attack.

For example, one version of Internet Explorer had a primary URL parser that would interpret the host part of a URL like "http://2132799651/" as the single-integer form of a numeric IP address, and go out to that address and fetch the data it found there. Every IP address has an equivalent single-integer form, so such a URL can be constructed corresponding to any normal URL.

But in that same version of Explorer there was another parser, in the code that decided which security zone a URL belonged to. That parser interpreted the host part of a URL like "http://2132799651/" as the name of a host on the local LAN. So an attacker could craft a URL that would cause Explorer to go out into the Internet to a site under bad-guy control, fetch back some data, and then interpret that data as though it had come from the security zone corresponding to the local LAN. Not good! (See the Microsoft Security Bulletin on the subject for some details.)

Another example of a security bug caused by parser mismatch involves cookie parsing. In some versions of IE (and I don't mean to pick on IE in particular here) the primary parser would interpret a URL like "http://www.foo.com%2ftrick%2f.bar.com" as referring to a page "/trick/.bar.com" on the host "www.foo.com". But the parser that decided which cookies to send with the request parsed it differently, and would send the cookies corresponding to the host "bar.com" rather than "foo.com"! Also not good. (See this PeaceFire page for details, as well as the Microsoft Security Bulletin describing the patch to fix it.)

A similar problem was found in a filter used by a Web-based mail service to strip dangerous code from mail (i.e. turn it into text) before delivering it to the user's browser. The filter would detect and defang normal invocations of javascript, but its parser would not recognize partially encoded forms of the word, like "jAvascript". On the other hand, the parser in at least one popular browser would interpret the encoded form as invoking javascript, and run the associated code. This could be exploited to slip dangerous script code into supposedly-sanitized email messages. (See this BUGTRAQ posting for details.)

Yet another bug along the same lines is described in this Microsoft Security Bulletin; again one parser was very liberal and would accept various technically-invalid escape codes as having special meanings, whereas the parser in the security component of the system treated those codes as ordinary text.

Perusal of the BUGTRAQ archives will reveal numerous similar problems, some considerably more complex. Proxy servers attempting to block Java, firewalls attempting to find FTP connections, and various other security systems have proven to be avoidable due to oddities in their parsers that didn't match the oddities in the systems being protected. The problems are usually in edge cases or odd cases, and most often in a case where the parser being protected is being "generous" in what it interprets, accepting technically-invalid constructs that the parser in the security component doesn't recognize as valid.

Which is not to say that other flavors of the problem can't also occur, as when a firewall thinks it sees an outgoing FTP connection that implicitly makes a corresponding incoming connection OK, but in fact no such outgoing connection really existed.

The best solution to this is to use exactly the same parser in the protector as in the protected. When this can't be done, second-best is to ensure that the protector has a very liberal parser, and will recognize various edge cases that aren't technically valid (but that some piece of the protected system might accept regardless) as potentially accepted and in need of filtering or special treatment (err, that is, on the side of caution).

(If both parsers are coded to the same specification, the specification is completely rigorous, and the coding in both cases is exact, the problem won't arise. But when was the last time you saw one program, let alone two, that had those properties?)

No, this isn't easy! That's why we security types get the Big Bucks...   *8)


top

earlier entries