colin dellow's bln

NAFTA: Finally doing something for me

2008-06-16T21:35:00.005-04:00

I bummed a ride to Buffalo and got my TN status today: the official start of my career in computer security...or is it?

The process was pretty seamless. In fact, I didn't get fingerprinted, I didn't get grilled, and I didn't have to explain to the officer what to put on the form and where to sign it: it was easier than J-1 status!

The worst question was: "Any criminal record, arrests, or things we should know about?"

Since I got the TN status, you may infer that I answered no. But I had to give it some thought, especially after receiving my graduation gift from my parents this weekend:

Yes, it's a copy of my middle-school suspension notice, informing my parents that I had been suspended for computer hacking.

Apparently, I had the distinction of being the first student to be suspended for violating computer rules. It shows: my crime (keylogging a variety of computers) is described as violating copyright; the school's system administrator had a dictionary-attackable password; and, after a stern talking-to, the school librarian returned the floppy disk with the erased keylog file.

A few clicks later, and I had resurrected the list of usernames and passwords that she had erased. Mmmm, data.

So is my TN the official start of my career? Or is it just the next logical step, which will defeat attacks as naive as simple keylogging? I look forward to finding out!

1 degree of separation

2008-04-23T14:59:00.003-04:00

I wrote my last exam, ever! Fittingly, it was of the cattle-herding variety in the PAC. Far from making me feel that my university experience was a generic, one-size-fits-all dehumanizing experience, this fact rejuvenated me: even downed cows get dragged off to market to be sold for beef.

Tripping in Europe

2008-04-18T15:41:00.003-04:00

Check out our travel blog for the trip Jenn and I are taking this summer.

(That's right - now I have two blogs to neglect!)

Life-altering decisions

2008-01-28T00:28:00.000-05:00

Please note that you might think that making life-altering decisions, like selling your home, breaking a lease, taking a trip abroad before starting your new job, or giving notice might be logical and immediate steps after receiving an offer from Microsoft, but if you are a visa-dependent candidate, these types of decisions can cause problems in the immigration process.

Please wait to may any life-altering decision until after you have spoken with our immigration team for advice. This will ensure a smooth transition to Microsoft.

Oops.

Windows CardSpace and me

2008-01-14T16:51:00.000-05:00

I've accepted a job with Microsoft, where I will be working on Windows CardSpace.

Cows, part 2

2007-12-29T17:30:00.000-05:00

In Grade 9, I wrote a program to download comics and newspapers from the web^[1] and display them in a whiz-bang DHTML page (that's right, back in my day we called it DHTML, you young whippersnappers, none of this new-age AJAX crap.)

Anyway, to drive this, I realized I could write a bunch of painstaking code to generate the URLs to download the images, or I could write some sort of text-based configuration file that would drive the program.

That worked well for simple cases. Over time, distributors got tricky: the URL for their image had some custom string in it that you could only get if you loaded a specific page on the given day. And you had to have a specific Referer, too! This required a complex pattern matching system. I realized I could write a bunch of painstaking code to match the patterns I needed... or I could look into this thing called regular expressions that I had kept seeing people use on the MOO.

As always, I didn't have a deep understanding of what they were, but seeing what they could do pretty much blew my 14-year-old mind away.

And thus, I committed my first act of (unintentional!) intellectual property theft by including the regexpr package from the LambdaMOO server into my program wholesale. "Attribution? What's that?" Consider this a mea culpa and a fix after the fact.

[1] I now understand how older folks feel when they say "it was the 70s," as if the date somehow excuses their pastel leisure suits. It was the 90s: back then, if you were on the web and didn't have enough popups and banner ads to induce seizures in rates competitive with modern Japanese anime, you were a nobody.

Cows, part 1

2007-12-29T00:46:00.001-05:00

I first learned to hack code in BASIC and Pascal, but the language that truly brought me into the inner circle of real programmers was the MOO language. Invented at the famous Xerox PARC facility, MOOs were programmable, object-oriented, networkable, multi-user, concurrent, distributed environments. Every nerd's wet dream.

An icon of MOO days was yduJ ("rhymes with fudge"), who wrote a few tutorials on the inner workings of MOOs. I am convinced that if a CS grad cannot explain all the concepts touched on in the MOO Lore Pamphlet, they should get a hard spanking and a stern talking-to. Although I didn't realize it at the time, the pamphlet mentions:

network latency
usenet
virtual memory and paging
concurrency
timeslicing
caching (and arguably, memoization)
event-based programming
heritability of security permissions
setuid
spoofing attacks
stack walking

Sadly, the MOO where I truly learned to code is now basically a museum relic - it's once-youthful population has reached old age (i.e., kicked out of our parents' basements) and has moved on. Mostly to Google, it seems.

Stupid VIM tricks, part 1

2007-12-28T02:09:00.000-05:00

To insert a GUID into your document simply by typing 'guid', toss this into your .vimrc:


imap guid <esc>:r! C:\path\to\uuidgen.exe<cr>k$Jx40la

The k$Jx40la does as follows:

k -> move up one line
$ -> go to end of line
J -> concatenate line below with this one
x -> delete the space that concatenation created
40l -> move cursor right 40 spaces (length of a guid)
a -> return to insert mode, with cursor positioned where it was before we started

A momentous occasion

2007-12-21T20:07:00.000-05:00

Hi there,

April 30th, 2008.

I greatly dislike your company. The quality of your service is subpar at best, and your website is an exemplar of the sort of functionality that a 12-year-old with FrontPage 97 could provide if you bought him off with a crisp twenty dollar bill.

I cannot wait until the day that I am free from your company’s shackles -- that day will be April 30th. It will be a joyous day, marked with tales around the now-silent TV, amid the unblinking glow of the LEDs of a router that is no longer connected to the intarwebs. There will be champagne for the adults and fizzy ginger ale for the kids. In fact, my fiancee and I are contemplating changing our anniversary to April 30th to forever remember the most special day in our lives. It's either that or get married on that day -- as math majors, the symmetry of us joining together while simultaneously dissolving our union with you has a certain aesthetic to the two of us. Whatever we choose, the champagne is chilling and the fireworks are waiting (in a cold, dry storage area - your concerns for our safety are noble, but we’ll live to see the day we sever our ties with Rogers if it kills us).

That said, I want to pay you hundreds of dollars!

Sorry... did that seem like I wasted a lot of time just so I could pay you money? Yup, that’s about how I feel every month when I try to pay you.

Anyway, I would love to pay you, but I can't! Apparently, since signing up for a Rogers Home Phone account, I am unable to view/pay bills for my Rogers services until I link my Rogers Wireless account on to my One Bill.

I don't get it - I don't have a Rogers Wireless account. Oh, I see. The Home Phone, which is not a wireless phone in any sense of the word, is a Wireless account. Duh. So I click on Combine Your Bills. Uh oh - 500 Internal Server Error. Let’s try that again. Hey it worked! In fact, it worked really well: "The Wireless and Cable accounts you have registered to this User ID are already subscribed to Rogers One Bill."

Oh, I see. I have to register my Wireless account with my One Bill. It’s part of the One Bill, just not registered with the One Bill. Duh.

I phoned your customer support number to get the information needed to register my account. That was fun. "Home phone." "Billing." "Home phone." "Human." "Billing." "Home phone." Clearly, the 12 year-old felt $20 was too much payment for the website, so he chipped in on the classy speech-recognition part of your telephone system.

The one redeeming point of this could have been your customer service rep: she was almost able to answer my question: "what’s my account number?" Sadly, we got sidetracked with updating my contact information - do I have an email address? Do I have a phone number?

Yes, Cathy, I do have a phone number. Now that I’ve paid my bill, I’ll have a phone number for another 131 days.

Colin

Rock Band

2007-11-26T21:12:00.000-05:00

I was stranded in Vancouver on my return from Toronto this weekend. Luckily, Sarah & Andy put me up overnight and I got a ride back with Andy, arriving just in time for Monday's team meeting at 1PM.

During the pre-meeting chitchat, a colleague was talking about the highly-anticipated Rock Band game that he had just managed to get a copy of this weekend. After some back and forth about how cool the game was, I noted...

"Funny. I, too, purchased a rock band this weekend..."

Jenn and I are engaged as of November 22, 2007.

How do you recognize a good programmer, part 1

2007-11-23T17:53:00.001-05:00

...he catches exceptions without even trying.

Zune 2: Wow

2007-11-15T09:37:00.000-05:00

Zune 1 was a standard V1 offering: clunky hardware, software that was a bloated reskin of Windows Media Player 11. I understand.

Zune 2 is a total revamp. Custom software written on the UI framework that powers Windows Media Center. It looks amazing. And, for a subscription music fiend like me... it rocks to have all this music at your fingertips. (Click the thumbnail to get a bigger version.)

Music collection, viewing songs by R.E.M.

Music marketplace, main page

Music marketplace, viewing songs by Rolling Stones

Now playing mode (warning: full screen on a pretty big monitor)

Rogers really sucks

2007-11-12T04:52:00.001-05:00

I got an email from Rogers -- I can get a sneak preview of their new website!

Naturally, I assumed this was because of my well-known love of their current website.

The new website? It starts by asking you to identify your province.

In a Flash applet.

Well done, Rogers.

PS - If you visit the current rogers.com in Firefox with JavaScript disabled, you get a 500 Server Error. Seriously? Seriously.

Rogers sucks

2007-11-05T03:44:00.000-05:00

I hate Rogers.

Just casting another vote.

(Yup, "We are currently experiencing system problems. Please try again later, or call one of our Rogers e-Care repesentatives at 1-877-343-5745." Nice use of the word "currently", to imply there's some sort of ephemerality to the situation.)

Random Thoughts from a Weekend in Cleveland

2007-10-29T03:25:00.001-04:00

Congratulations Rick and Lindsay on a year of marriage and your official start as a Catholic couple this past weekend.

The wedding mass was very nice and was followed up with some very heartfelt toasts at the reception. In particular, I was impressed by the toast of the best man -- Rick's high school buddy, Mike Bishara -- who told of having to relay the details of Lindsay's almost-four-hour-long triple-overtime Harvard game to a smitten Rick when his internet went down.

Congrats, you two - you'll have to post an update when you have your wedding photos ready for public distribution!

Colin

PS - Security theatre took place at the Cleveland airport as TSA officials tried to convert millilitres to ounces. "75 ml. It don't look too big." "Au floristat?" "Is this 3.4 ounces?"

Heard at NEO

2007-09-19T08:30:00.000-04:00

At Microsoft's New Employee Orientation, they were impressing upon us the diversity of the company. "What country are you from?"

"Canada"
"Trinidad and Tobago"
"Iran"
"England"
"Quebec"

...about half the room got the joke, but not the presenter.

The Joy of Being a Globetrotting UW Co-op Student

2007-09-17T00:55:00.000-04:00

Money is a giant pain in the ass - why can't it all be a lot smoother?

I'm writing this because I'm sitting down to pay the month's bills. Comcast, Rogers, Puget Sound Energy, BRE Trails, Visa cards, and ISTA, oh my! And, of course, Rogers's website is down. Again.

When (if?) I successfully pay these bills, I will get to go forth and scatter bills for the amount paid via social money management tools, such as my favourite, BillMonk.

In the two years that we've used BillMonk to track the shared expenses in our households, I've racked up $46,723.83 of "stuff". That's not necessarily $46,723.83 of expenses, mind you. Some of it is, of course: rent, utilities, entertainment, food, furniture. But some of it is just paperwork to shuffle debt from person A to person B to make settling up easier -- these line entries can add up, as person-to-person lines of credit often get close to four figures during a semester. Some of it is neither expense nor accounting acrobatics: BillMonk is currently tracking multiple security deposits that I jointly hold with four other people totalling $1,921.16.

Why do we even have to think about this stuff? Where's the infrastructure to allow multiple people to commit to expenses jointly and seamlessly? Failing that, where's the infrastructure for people to autoapprove bank transfers to specified individuals (not corporations) up to specific dollar amounts?

The Pareto principle likely excludes me from getting the kind of banking and money management scenario I want, since I suspect my experience is pretty far outside the bell curve of normal. Relocating (with new housemate, nonetheless) every four months has its downsides. I can't wait for this to be over.

Comments on Amazon

2007-09-12T23:37:00.000-04:00

One great thing about the Internet is you can rarely tell strictly from the text whether a person is being gut-wrenchingly sincere or devilishly deadpan. Take, for example, this review for the boardbook Guess How Much I Love You:

A minor concern: The characters are Little Nutbrown Hare and Big Nutbrown Hare. For those of us with mild dyslexia, it is too easy to refer to them as Little Brown Nut-Hair and Big Brown Nut-Hair, which is very different and considerably changes the tone of the story. I accept that this may be my personal problem, and I don't even believe it is appropriate to share it in in this format.

Win the battle, lose the war

2007-09-02T02:39:00.000-04:00

I've chatted in the past year with my father and Dan about merchants asking for photo ID when making Visa purchases. Turns out, this is against Visa's Rules for Merchants.

So, while making a purchase today, I refused the clerk's request for photo ID. In his ignorance of the rules, he would not permit the transaction to go through. However, after escalating the issue to his manager, I successfully made the purchase without showing ID.

On the downside, this was done in the US. And to get in to the US, I was incorrectly asked to present my fingerprints and smiling face for the record. As I didn't have the balls to challenge Mr. R. Chai, the friendly customs officer, my biometric data is now sitting in one more database. Thanks, Department of Homeland Security -- that's one more terrorist that will never slip through your borders!

Customer service done right

2007-08-17T07:58:00.000-04:00

Better Bitters Brewery
Despite being a small microbrewery, Better Bitters (maker of the tasty Nickel Brook Green Apple Pilsner) was eager to give us a tour. Or rather, the owner, who was a very affable guy named John Romano, was eager. Despite being busy, John walked us through the process they used to create great beers and even included a sampling of how beer tastes at various stages in the production process. Consummate small business attention to the customer throughout -- we've since finished the six cases we picked up from him. I wonder if they have Nickel Brook in the States? ;)
Feedjit
Feedjit is some new whiz bang web 2.0 thang. What kind of thang in particular is not important.
What is important is that after e-mailing the creator about a bug, I got a response confirming the existence of the bug and apologizing for it within 2 minutes. The bug was fixed within an hour. I received an email from the creator notifying me within an hour of that. Impressive!

CookieInjector, part 4

2007-08-15T15:12:00.000-04:00

Having demonstrated how CookieInjector works on a day-to-day basis, the next question is: how do you tell CookieInjector what your passwords are? How do you get that snazzy Cookie Monster card?

By using the CookieInjector Configuration tool, as demonstrated in the following screencast.

CookieInjector, part 3

2007-08-14T13:15:00.000-04:00

I've got a first cut of an end-to-end CookieInjector session - check out a sample video below, where I log in to Gmail and Quest (my university's student management system). When logging in to Gmail, I actually log in twice, to demonstrate that separate sessions are being created.

Note that the Cookie Jar claim value holds all the cookies needed to log in, but the display value is simply a hash of the cookies. It's basically a placebo for the user so they know that something happened.

When logging in to Quest, I skip the preview/retrieve steps and do a one-click log in.

This demo should illustrate the concrete improvements that CookieInjector and CardSpace give us:

consistent UI for authentication to different websites
centralized tracking of authentication
- ...you can't see it, but my IP/STS records every time I authenticate to a specific service
and, of course, you never need to enter a primary, long-lived password at a web site!
- ...this has other ramifications, too: if I want to allow my housemates access to the online portals that show our internet, cable, and power bills, I can do that by granting them their own cards that are allowed to authenticate to a subset of my accounts

ECE 493: Security

2007-08-12T23:37:00.000-04:00

While studying for my ECE 493 exam, I accidentally stumbled on to two large security holes at a major multinational utility provider and a major multinational bank.

I wouldn't care, but c'mon, with revenues like they have, surely they can afford a code review or two.

CookieInjector, part 2

2007-08-12T15:59:00.001-04:00

CookieInjector can now log me in to Bank of America, Bloglines, DreamHost, Facebook, Gmail, RBC and TD Canada Trust. I am deeply indebted to Eric Lawrence for his Fiddler HTTP/S traffic sniffer.

One major lesson I have learned: banks have convoluted, mostly-broken web sites.

So far, I just have two of the components functioning:

The library component to securely store passwords, authenticate to sites, and return the list of cookies

The browser helper object to recognize when we are at a site for which my system can handle authentication

Still to do:

Extend the BHO to invoke CardSpace using my CodeCompete SSL cert

Write an IP/STS that shreds incoming requests, invokes the appropriate authentication, and returns the cookie

Now that CardSpace has an official icon, supported webpages automatically get the following overlay when the more secure form of authentication is available:

CookieInjector: The Idea

2007-08-10T00:08:00.001-04:00

Three things you may know about me:

My UW password (and thus, my GMail, TD Canada Trust, Bank of America, and cldellow.com passwords) were recently exposed by the ineptitude of my university

I dislike multi-factor authentication schemes that have become popular at banks recently. They aren't truly multi-factor and they result in more work for me.

CodeCompete, which started in May, is now finished, so I have a spare SSL certificate kicking around.

Granted, the widespread nature of (1) is my own fault. I trusted my university not to expose my password, and thus I was sloppy and used the same password in multiple places. Bottom line: accidents happen, passwords get leaked. Plan for it.

So, once bitten, twice shy. . .

The above is my vision of a tool I've named the Cookie Injector. It is composed of two parts:

An IP/STS residing on my machine, that knows all of my passwords and has the ability to automatically talk to web-based authentication servers (e.g., google.com, uwaterloo.ca) to exchange my passwords for HTTP session cookies; and

A C#.NET application that can invoke CardSpace to retrieve a token from the above IP/STS, extract the session cookies, and inject them into Internet Explorer on the given computer

Ideally, this will allow me to:

have different passwords for google.com, microsoft.com, tdcanadatrust.com, bankofamerica.com, and uwaterloo.ca; and

not remember a single password, ever; which means:

I'll never type a high-value or long-lived password into an untrusted machine

I'll have complex, hard-to-remember passwords

...which can change on a weekly basis, automatically

I'll be tinkering with this over the next month or so, and will publish any interesting progress.

Shame

2007-08-09T12:02:00.000-04:00

UW has a tool called Kiwi that allows you to authenticate to federated systems as a UW student.

Unfortunately, Kiwi logs your userid and password to a file when you log in.

Unfortunately, Kiwi's logs were world-readable.

Yep, we sure are good at that there CS thang.

I got my American tax refund!

2007-08-05T01:29:00.001-04:00

...21 weeks after I filed it, and right before I start working again. Thanks for nothing, USA!

I make a lot of graphs...

2007-07-31T18:48:00.000-04:00

How do you know your OS has priority inversion problems? You draw a graph. Don't tell Brad!

Life's a bitch

2007-07-31T13:59:00.000-04:00

Is the title of this blog sexist?

I don't know, and neither would anyone else in the SE faculty, apparently.

I just received my fourth (and final!) workterm report back from marking.

On Page 1, Reviewer A notes in pencil that my use of the politically-correct term "he or she" is awkward and has no place in a technical document.

On Page 5, Reviewer B notes in pen that my use of the term "man-month" is sexist and I should strive to find a gender-neutral term.

Fuck it, I passed.

CS452: Real-time Operating Systems

2007-07-29T22:35:00.001-04:00

I've spent far too much of the last three months in the trains lab (well, also in the phones lab programming this monstrosity).

What were we doing in the trains lab? Writing a microkernel operating system for the x86 architecture (what most people have inside their computers). This was different from ECE354, where we wrote a monolithic operating system for the M68K architecture (the ones that powered early Macintosh PowerPCs).

The course is broken down into 7 assignments: 1 introductory one, 3 where you build the OS, and 3 where you write user programs to run on the OS to track trains and do something cool with them. Our final project was a 911 dispatch service that estimate train arrival times at callee locations. The final thing was on the order of 20,000 lines of code and took several hundred hours of development time.

Since two our of three of the group members were MSFT interns, we stole a few motifs from our corporate masters, inclulding this common sight during the early days of coding:

Our console window:

The track:

One of our group members, Nima, wrote some beautiful code that applied artificial intelligence (in the form of Bayesian networks) to give us a very robust, accurate train tracking subprocess that could even learn about the trains it was tracking over time. This video shows our OS tracking 7 trains simultaneously -- which is pretty damned impressive.

Real-time was a lot of work, but definitely one of the most satisfying courses I've taken. I attribute both to its "messiness" -- interacting with real-world, unreliable systems made the course a lot more difficult, but also a lot more rewarding.

That's not to say there weren't several times that I ended up saying "I hate my life" (usually, this would be during a 30-hour marathon of coding/debugging.) And I'm not the only one -- prior students have composed songs to express their frustration with the course requirements.

Ah, the long-beaked echidna

2007-07-16T11:28:00.000-04:00

"Fears that one of the world’s rarest creatures had been driven to extinction have been allayed by a tribesman who told conservationists he had recently eaten one."

Richard M Stallman

2007-07-09T03:03:00.000-04:00

RMS spoke at Waterloo recently. His topic: the role of copyright in light of advances in computer networks.

RMS is an engaging speaker. One thing I noticed immediately was his lack of hesitation - no ums or ahs to be heard anywhere during the 90 minute talk. He pointed out many flaws in arguments for prolonged copyright, chiefly that there is very little marginal incentive for the artist -- they're liable to be dead and won't care if their works are copyrighted.

That said, RMS is also a dangerous speaker. Not because his views don't mesh with mine, but because he doesn't play fair: he used rhetoric better suited to Internet trolls than to someone who has contributed so much to the computer science community.

Lines in particular that stood out:

- he asserted that Microsoft put in a backdoor for the NSA in Windows, circa 1999. This was widely debunked, including by noted cryptologist Bruce Schneier.

- he called the United States government a terrorist organization.

- he claimed Linus Torvalds wasn't interested in the rights and freedoms of users (while Linus doesn't see sufficient value in GPL v3 over GPL v2 to change the kernel licensing terms, surely that alone doesn't merit such a blanket statement?)

- he redefined "Digital Rights Management" as "Digital Restrictions Management"

- he suggested it should be a crime to cease supporting I/O devices

He also used the standard communications techniques -- negative, anthropomorphic words when describing things he didn't like (kill, strangle, tighten the chains).

Beyond the words, there was the content of his lecture, which seemed about on par for what I have read about RMS.

Firstly, he spent about fifteen minutes discussing why Linux should be called GNU/Linux. This part contained the accusation that Linus doesn't care about users' freedoms as well as calling the kernel only a smart part of an operating system. While it is technically true that the kernel is but one piece of the overall system, calling a 6,000,000 line piece of code "small" was ironically petty.

He then discussed his plans for copyright reform, motivating it through frequent reference to occasions when artists were not protected by copyright, but rather were harmed by their production company wielding a contract over their head. I fail to see how shortening the duration of copyright protects people from signing dangerously one-sided contracts.

He also proposed that copyright basically not be enforced for non-commercial, person-to-person sharing of music and videos. He claimed this would not harm Hollywood because

a) theatres and airlines, being commercial entities, would still pay royalties;
b) Hollywood's costs are artificially inflated (see Hollywood accounting on Wikipedia for more)
c) most Hollywood movies are crap, and use expensive special effects to cover up this fact. If movies earned less, they'd be forced to be less crap. I'm quoting him when I use the word crap.

I question the validity of the statement that says royalties will not be harmed. The triple release format of movies is what makes them profitable -- going first to theatres, then to rentals, then on sale. Since RMS advocates replacing advertising budgets with people advertising for the company -- by playing the work of art to their friends -- I assume this triple release model must be done away with. Instead, the work will be released to theatres and to the public simultaneously.

Which, in my mind, means people will set up free, public screenings with projectors. Which means no one will go to the theatres. Which means no income for the movie. (Unless, ironically, it used lots of special effects which would be best enjoyed in a theatre.)

Overall, the audience of some 300 students seemed to enjoy his talk. I enjoyed his alternative views but he came off as too much of a demagogue for me to take his views seriously.

Security through more-fucking-work-for-the-user

2007-07-09T02:49:00.000-04:00

Bank of America and TD Canada Trust have recently started using security questions to authenticate users in online sessions.

If you're not familiar with these, they go along the lines of this:

"Warning. We have detected you are trying to access your bank account. Please enter the name of your best man."

or

"Warning. We have detected you are trying to withdraw money. Please enter the city you were married in."

These questions are not only poorly chosen (thanks, BoA - lots of diversity with the wedding questions), they are often fairly weak as well (what university did you attend?).

When it comes down to it, they're still shared secrets.

And let's face it - this is a security measure meant to save us after a nefarious person has commandeered the following pieces of information:

1) the name of your bank
2) your username at the bank
3) your password for that account

The most likely way this person got my information was a keylogger they've quietly installed on my machine. If they can install software on my machine, they can just redirect me to a man-in-the-middle attack, and presto, my cocoon of security is gone.

But, "wait!" you cry, "it's not so bad! An MITM attack would show up as a phishy URL".

Unless they poisoned my DNS -- they have software running on my box, remember?

"But they couldn't spoof the SSL!"

Sure they could. They have software running on my box. They'll just whip up a key and shove it in the trusted store. They can even add a new Thawte certificate to sign it, while they're at it.

"But wait! You'd notice that they were asking you for your security question again! Since security questions are only used to verify suspicious activity, surely this would tip you off!"

Are you kidding me? In today's click-through world, no one thinks twice before replying to a prompt. And if you bothered to question it, you'd notice this little gem: "Notice: In response to a recent security analysis, we have flushed our cache of authentication and credential information. You may be prompted to enter your security question again. If you have any concerns, please call Bank of America at 1-(800)-EVIL-GUY."

The average user's eyes would glaze over, and they'd mindlessly tap in all their secrets.

I really, really can't wait until CardSpace becomes more accepted. In the meantime, I'd rather not have the hassle of extra hoops that provide a very thin veneer of security.

Speakers on campus

2007-06-29T00:31:00.001-04:00

Attending UW has been a great opportunity to hear some very influential speakers in the world of computer science, including:

Bill Gates, on the future of computing
Richard Stallman, on the future of copyright
Andy Tanenbaum, on the future of kernel design
Vint Cerf, on the future of the Internet
Bjarne Stroustrup, on the future of C++

I'm not sure what it says about our industry that people only ever want to talk about its future, and never about its current state.

Tim Sherwood, CS prof at UC Santa Barbara

2007-06-28T12:24:00.001-04:00

"... [the] human side of the equation is not understood to people outside the field ... they think we're all Monty Python quoting, Star Trek loving, Cheetos eating, caffeine addicted, girlfriendless freaks ... when in fact most CS people barely eat any Cheetos."

Last Work Term Report Ever!

2007-05-08T05:56:00.000-04:00

My last work term report ever is done. Assuming it passes, that is. And why shouldn't it? It's a beautiful piece of crap.

CodeCompete Goes Live

2007-05-07T12:34:00.000-04:00

University of Waterloo student? Check.

Want free stuff? Check.

Register at CodeCompete in time for the early bird drawing.

Microsoft Intern Game 2007 Beta

2007-04-16T00:07:00.000-04:00

40 hours of no sleep. 40 hours of the Microsoft Intern Game's 2007 beta.

One word: amazing. There was xxxxxxx xxxx, a xxxx xxxxxx of xxxxxxxxxxxxx, xxxx and my personal favourite: xxxxxx. And so much more.

Of course, it's all a secret -- but interns at Microsoft this summer should keep an eye out for the hidden invitation to play!

Machinima

2007-04-08T05:24:00.000-04:00

Lately, I've been coming across a number of well-done machinimas. Machinima is a portmanteau for machine animation -- animations made using computer programs that were designed for consumer entertainment, not multimedia suite. Examples of source programs include the Halo video game series, the Sims and World of Warcraft.

By well-done, I mean simply that it's astonishing what some artists have created using stock tools plus the odd hack to get additional textures or models. Yes, it looks like a video game. World of Warcraft machinimas in particular are limited and can feel very repetitive, since they are by nature set in a fantasy world which must conform to a rigid idea of what fantasy should be. Most WoW machinimas are music videos for spoof songs -- which seems like a good fit.

However, as games become more photorealistic and rich 3D models enter the public domain, even better opportunities will present themselves.

I've collected a list of a few good examples of the genre below. Some were made by people as young as 12.

Instructional Videos
* Men's Washroom Ettiquette (the Sims)
* "Outtakes" from the above

Music Videos
* I Loved Her First (Sims)
* Code Monkey (World of Warcraft)
* First of May (World of Warcraft, NSFW)
* Sk8er Boi (Sims)
* The Internet is for Porn (World of Warcraft, NSFW)
* I'm Too Sexy (World of Warcraft)
* You're Beautiful (Sims)
* Mandy (Sims)
* Jesse's Girl (Sims)

A side note to those who debate the 'artness' of this, the Washington Post recently ran an article that claims art is... in the eye of the beholder. Their test? They had Joshua Bell and his $3,500,000 Stradivarius violin play on the subway during rush hour. He earned 32 dollars and change from all the passersby -- less than a third the cost of a ticket to one of his performances; six people stopped to listen.

Tragically, I've gone deaf

2007-03-30T04:01:00.000-04:00

I went to the Tragically Hip's concert at Moore theatre in Seattle tonight.

It was a really, really great show and the audience was definitely doing its best to match Gord Downie's energy level.

Also, you couldn't escape the feeling that everyone in the crowd was an expat. In every cluster of four or more people, there'd be one with a maple leaf, or a hockey jersey, or something.

Oh, and while waiting for an encore, the audience broke into a loud O Canada. I think tonight was the first time I've actually heard an anthem truly being sung -- you could practically feel the groupthink in the room.

Metapedia

2007-03-28T23:39:00.000-04:00

Wikipedia's a great resource. Usually, it's a good starting point for research. And the bits it's missing are usually called out with "stub templates".

I never realized how childish I was until, the other day, when Sarah was researching phalloplasty, I burst out laughing. Ah, metahumour. The best kind.

Cohen on Howard: Final Thoughts

2007-03-25T10:14:00.000-04:00

So, there you have it.

If I were the person at Microsoft responsible for allowing books to be released I would not have approved the book by Michael Howard and David LeBlanc.

In essence, this is a book about how Microsoft has screwed up security in their programming practices over the years and how they are trying to fix it.

It also implies accountability, which is, as far as I can tell, a new thing at Microsoft in terms of software development.

That's right, Microsoft does not want backward compatability, but we all knew that a long time ago.

While this is a good business model, it is a poor information protection approach. Which may be the real reason that Microsoft does so poorly in this arena. They tell us that the most valuable part of a bank is its vault - did they miss the information age somewhere? They probably never worked on bank security.

The book is almost 800 pages, by the way, and it does have a solid 40 pages of worthwhile content, not a bad bloat ratio for some software products.

This is consistent with their expressed view of applying theory where appropriate - that you should never do so. That's part of why they will continue to make big stupid mistakes from time to time.

[...] but careful is not a word I would attribute to the authors of this book in their writing style. They approach the issues with reckless abandon, and that's entertaining at a minimum.

In Part 3, my hopes were dashed. Yes, part 2 continues in part 3. The separation is apparently only a trick to meet an administrative requirement of maximum section sizes, or perhaps a limitation of Word based on an integer overrun.

I think that the lack of time and attention to the underlying issues, the lack of organization and models, and the inconsistencies and poor advice are all related to spending too little time thinking through the issues and organization of the book. This is reflective of the same corporate culture that led to the problems with security at Microsoft and in other software vendors.

A better name might be something like: "How poor quality programmers at Microsoft have produced hundreds of instances of the same 10 big mistakes in their code, and how they can do their jobs a little bit better".

Is that the state of discussion in the software engineering community? Cohen's writing is frequently hindered by poor logic and unchecked facts. There seemed to have been more than a few ad hominem attacks on the authors simply because they worked for Microsoft.

In my view, there were two good criticisms to come from his review:

1 - the book is poorly organized
2 - the section on input checking proposes regexes as the be-all, end-all for input validation

It seems to me that could have been said much more succinctly than 5,400 words. Perhaps a chunk of the words freed up by being more direct could have been used to educate others on the areas he felt were poorly treated.

Disappointing.

Cohen on Howard: Chapter 24

2007-03-25T10:07:00.000-04:00

Chapter 24 covers writing security documentation and error messages.

Cohen:

But the problems in this chapter start early. On the second page they tell us not to use security through obscurity, after having told us in the prior chapter not to tell attackers anything.

This is nitpicking on the part of Cohen. Yes, security through obscurity is a doomed tactic. That doesn't mean attackers shouldn't have to work for every bit of information. Why should we reduce the attackspace for them by providing them with useful information?

Cohen:

A few pages later, they tell us to not reveal anything sensitive in error messages, then give us what they think is a good example of telling the attacker that the password they just tried was wrong only because some of the characters were in the wrong case. Of course this eliminates the value of using case sensitive passwords in the first place, telling the attacker a great deal of useful information by reducing the search space by several orders of magnitude, but they seem to have missed that.

Cohen seems to not only have missed the thrust of this part of the book, but also seems to be labouring under the false impression that Windows passwords are case-insensitive.

This section of the chapter is trying to say that error messages should empower legitimate users to solve problems while not giving away useful attack information. For example, rather than saying "Your password is incorrect." you can say "Your password is incorrect. Remember, passwords are case sensitive." to hint that the user needs to pay extra attention. It does not in any way propose that you say "Your password is incorrect. However, if you uppercased the 3rd letter, it would be correct."

Cohen's line of reasoning would have made more sense had he complained that they told the user the password was wrong -- thus implying that the username was correct and reducing the attacker's work by several orders of magnitude. But he seems to have missed that.

Cohen on Howard: Chapter 23

2007-03-25T10:02:00.000-04:00

Chapter 23 is a grab bag of good practices.

In general, Cohen's review of this chapter is fair-minded. He criticizes the grab bag approach as indicative of the book's overall lack of organization. Seems fair: Chapter 23 is the "General Good Practices" chapter in "Part IV: Special Topics" (not to be confused with "Part II: Secure Coding Techniques" or "Part III: Even More Secure Coding Techniques").

One thing I must point out from having worked on Microsoft CardSpace is the following line in Cohen's review:

They are right, we should have and use standards that allow representation to be product independent, but of course Microsoft is the company that brings you proprietary versions of everything to keep you from buying other vendor products.

Microsoft CardSpace works on the WS-* protocols, which are open, freely licensed, and jointly developed by many contributors.

Cohen on Howard: Chapter 22

2007-03-25T09:56:00.000-04:00

Chapter 22 covers privacy legislation and concerns that need to be addressed by secure software.

Cohen:

Chapter 22 is about legal issues in privacy, but it doesn't even do that well. All it really does is pile more mindless data on the reader without the context to apply it well.

Chapter 22 outlines US and EU privacy legislation (EU directives on Data Protection, Computer Fraud and Abuse Act, Gramm-Leach Bliley Act, Health Information Portability Accountability Act, and the Children's Online Privacy Protection Act) that might make certain demands on your software.

It discusses privacy policies for software and websites and how to integrate with the Platform for Privacy Preferences standards. It warns about making bold statements about privacy that you can't back up because of trust issues with business partners or business processes.

It is hard to know exactly what Cohen takes offense at in this chapter, but his review seems unjustified.

Cohen on Howard: Chapter 21

2007-03-25T09:50:00.000-04:00

Chapter 21 covers securing the software installation experience.

Cohen:

Then comes the really hokey advice. Like that systems administrators should be able to alter application programs. Really? Since when should users who are the "administrators" on their computers be able to alter the binary code of an executable from a vendor?

Again, Cohen doesn't offer a source for this statement. I don't believe the chapter said this.

Cohen:

And why should we put keys to codes in the system-wide registry file instead of a file that is protected from read by others?

The chapter doesn't advocate this, either. Instead, it points out that registry can be a nicer choice than a file since it offers fine-grained access control, per-value, whereas files can only offer security per-file.

Cohen on Howard: Chapter 20

2007-03-25T09:44:00.000-04:00

Chapter 20 covers performing a security review, mostly via code reviews.

Cohen doesn't have much to say about Chapter 20 -- which is fair, given that the chapter amounts to only 13 pages.

Cohen on Howard: Chapter 19

2007-03-25T09:39:00.000-04:00

Chapter 19 covers penetration testing, including fuzzing techniques.

Cohen grudgingly accepts this chapter, noting that "finally, they start to begin to put a model on the security issue". Is he perhaps referring to the in depth descriptions of the STRIDE technique, first presented back in Chapter 4?

Cohen on Howard: Chapter 18

2007-03-25T09:37:00.000-04:00

Chapter 18 focuses on security features built into the .NET common language runtime.

Cohen:

In chapter 18 we are told how to write secure .NET code, but of course it ignores all of the previous lessons and tells us to use security features that extend trust from domain to domain without a good basis. Ah well, what should I have expected from the last chapter in this section. They would have done better to cut this whole section out.

Unfortunately, Cohen's review of this chapter is light on specifics but generally pans the chapter.

Cohen on Howard: Chapter 17

2007-03-25T09:32:00.000-04:00

Chapter 17 covers preventing denial of service attacks against common resources.

Cohen:

It also gives us a really bad example of using software performance profiling instead of complexity analysis to find possible denial of service exploits. This is the worst example yet of ignoring academic results in favor of inferior industry methods. In particular, a junior programmer is told to ignore all that complexity theory he was taught in the University and simply test each of the routines under different inputs, find the slow routines, and speed them up. Of course in a denial of service scenario, if there is a high complexity function that is fast in almost all cases, a good attacker will find the worst case input sequences and exploit them while the testing scheme will almost certainly miss these cases unless they do complexity analysis.

In the context of the quote, it is clear that they're discussing how to improve CPU performance issues on a specific codebase, not how to detect and fix CPU denial of service attacks. Asymptotic algorithm complexity analysis is costly and leaves out a lot of context that is needed when determining how to improve performance (e.g., how often is this code path executed). The pragmatic programmer in me has no problem with using a profiler against a system running under a broad set of expected loads to figure out where the low-hanging fruit is.

Cohen on Howard: Chapter 16

2007-03-25T09:22:00.000-04:00

Chapter 16 covers securing RPC, ActiveX and DCOM code.
Cohen:

Chapter 16 tells us 50 variables to set to specific values in RPC and Kerberos code (why they don't set these by default I don't know, but expecting Microsoft to do what the authors advise is expecting too much)

It's unclear what Kerberos code Cohen is referring to -- perhaps the flag which specifies using Kerberos as the authentication method for RPC?

The chapter presents a number of useful flags when programming RPC code and details the trade-offs of each choice.

As well, the chapter presents information on disabling previously-released ActiveX code with security flaws.

Cohen on Howard: Chapter 15

2007-03-25T09:15:00.000-04:00

Chapter 15 covers security for networks.

Cohen:

In Part 3, my hopes were dashed. Yes, part 2 continues in part 3. The separation is apparently only a trick to meet an administrative requirement of maximum section sizes, or perhaps a limitation of Word based on an integer overrun.

Cohen's joke is especially funny when you realize that David LeBlanc, a co-author of the book, produced the SafeInt library to prevent integer overflow attacks...while working for Microsoft Office.

Cohen:

Chapter 15 does a poor job of handling network issues with the exception of providing some reasonable advice on building firewall-friendly applications.

Cohen's review does a poor job of describing what is missing here. The chapter covers how to prevent local applications from hijacking a server's port, limiting attack surface by binding as narrowly as possible to an interface and the insecurities of DNS as well as how to write firewall-friendly applications, amongst other things.

Cohen on Howard: Chapters 12 to 14

2007-03-25T09:07:00.000-04:00

Chapters 12 to 14 deal with more canonicalization issues: database input, web input and internationalization via Unicode.

Cohen:

Chapters 12 and 13 are the same thing as chapter 11, repeated in the context of databases and web servers. In other words, they only give more examples of the same mistakes producing the same sorts of errors in different application environments. Useful for those who didn't get it the first 10 times, redundant for the rest of us.

I dispute that these sections are not useful: they cover real-world attacks and tell you how to prevent them. This is much more actionable than saying "input validation and canonicalization issues exist in the web and database environments as well."

Cohen:

Finally, thankfully, chapter 14 tells us to use Unicode for representing everything. Of course this is based on internationalization issues, not security issues, and ends this section of the book. After 325 pages, I found myself wanting more for less.

If you accept that canonicalization is a security issue, how is internationalization canonicalization not a security issue?

Cohen on Howard: Chapter 11

2007-03-25T09:03:00.000-04:00

Chapter 11 addresses the issue of input validity given canonical representation issues. e.g., http://127.1 is equivalent to http://127.0.0.1 and to http://2130706433

Again, Cohen's comments are accurate. Formal languages and well-defined standard representations would solve the problem; meanwhile, the book presents best practices and suggestions for how to canonicalize input.

Cohen on Howard: Chapter 10

2007-03-25T09:00:00.000-04:00

Chapter 10 presents issues in untrusted input and methods to check input for validity and safety.

Cohen:

You may not believe this, but the book fails to address sequential machine issues across the board and focuses entirely on combinatorics issues under stateless machine assumptions. This is not by intent, as there is no underlying model in the book. They just missed the basic notion that we are dealing with sequential machines. And of course asynchronous issues between communicating sequential machines never even hits their radar. We are told to check input validity by verifying syntax, but the use of redundant values on input to cross check validity is ignored. Input syntax is addressed, but semantics are ignored, and more particularly, we are not told how to build syntax filters that allow different syntactic elements based on previous inputs and program states.

Spot on. There are more advanced techniques that are better than what the book presents. One could nitpick that "they just missed the basic notion that we are dealing with sequential machines" and instead chose to present simpler techniques that are within the grasps of all computer programmers.

Cohen on Howard: Chapter 9

2007-03-25T08:29:00.000-04:00

Chapter 9 deals with encryption and protecting secret data.

Cohen largely approves of Chapter 9. In particular, he likes the fact that the authors state knowledge of cryptography and mathematics is not sufficient: you must apply it in a way that makes sense. (For a way that doesn't make sense, see the picture to the right.)

Howard:

CryptGenRandom gets its randomness, also known as system entropy, from many sources in Windows 2000 and later, including the following: [...lists on the order of 100 counters...]
The resulting byte stream is hashed with SHA-1 to produce a 20-byte seed value that is used to generate random numbers according to FIPS 186-2 appendix 3.1.

Cohen:

The authors rightly spend a substantial amount of time on generating decent pseudo-random numbers [...] Of course their solution is a Microsoft system call that they assert does it right. I should note that the parameters they claim to use to generate their random seeds contain some very predictable values and sets of values that, while individually may not be very predictable may be more predictable together. For example, when we add the CPU, User, and I/O time it may come to a predictable value (100%) even if each is not very predictable on their own.

Yes -- if you add CPU, user and I/O time it will come close to 100%. However, the authors make it clear that they concatenate the values rather than sum then. Even so, due to issues with representing numbers in computer systems, CPU + user + I/O time may not always sum to 100 depending on Microsoft's internal representation.

Cohen:

They do tell us to use salts for hash functions to store things like passwords. Their inability to get the job done at Microsoft shines through when we realize that the password scheme used in Microsoft products didn't use salts for their hashes and resulted in a widely published dictionary-based attack based on this weakness. It saddens me to see that even when the authors get it right the company gets it wrong.

Cohen does not indicate which Microsoft product is storing passwords unsalted. Doubtless, many earlier Microsoft products had this problem before it was well understood to be a problem. Indeed -- many Linux distributions of a bygone time didn't shadow their passwd files, even though /etc/passwd was world-readable and had a small saltspace. Even today, Wordpress doesn't salt user passwords -- and uses the insecure MD5 hash to boot!

Cohen on Howard: Chapters 5 to 8

2007-03-25T08:20:00.000-04:00

Chapters 5 to 8 cover buffer overruns, access control lists, least privileges, and basic cryptography errors.

Cohen's review of chapters 5 to 8 is lumped together into 3 paragraphs, ending with:

If you don't know why C leads to off-by-one errors that lead to storage errors that lead to programs doing bad things, these chapters are worth reading. If you like examples without all the facts to make the point, but lots of lines of code showing how to set access controls in Windows, this section of the book is for you. It is not for the same people that section 1 was for, but the audience shift should be obvious enough for most readers to ignore one part or the other appropriately. My summary note on these chapters says "Bad design + bad programmers => Bad code". I think that is telling.

While some of the code samples are definitely very Windows-specific (e.g., how to modify your execution token to restrict your operating permissions so as to restrict the value of exploiting your program), some of the samples and concepts are technology agnostic and very important.

Chapter 5, for example, focuses on buffer overruns and their ilk. These constantly feature on the SANS Institute's Annual Top 20 Security Attack Targets list.

Cohen on Howard: Chapter 4

2007-03-25T08:02:00.000-04:00

Chapter 4 is on modelling threats to software by breaking it down into components and analyzing each part's vulnerabilities.

Chapter 4 introduces modelling techniques for decomposing your applications, including:

Data Flow Diagrams (DFDs) - modelling how data flows through your application to understand how parts can be attacked

STRIDE - a way to categorize threats based on what risk they permit: spoofing, tampering of data, repudiation of actions, information disclosure, denial of service or escalation or privileges

DREAD - a way of rating priority of threats based on damage potential, reproducibility, exploitability, affected users, and discoverability.

Cohen:

It also tells us that STRIDE and DREAD are the models of threats and consequences they use at Microsoft - which helps me to understand why they miss the boat so often. You need to get the book for more details because I need to cut down on the content of my review before we all run out of patience with it and the book. The book is almost 800 pages, by the way, and it does have a solid 40 pages of worthwhile content, not a bad bloat ratio for some software products.

Cohen seems to suggest that STRIDE and DREAD are inferior modelling techniques. Inferior to what? He proposes no alternative.

Cohen:

Chapter 4 is also very important to understanding where Microsoft still misses the boat in security. They didn't spend the time needed to do basic modeling and, as a result, their views and processes are incomplete, inconsistent, and lacking in a systematic approach.

It is unclear to me how a chapter explaining how to do basic modelling consistently and completely in a systematic fashion supports this view.

Cohen:

This is consistent with their expressed view of applying theory where appropriate - that you should never do so. That's part of why they will continue to make big stupid mistakes from time to time.

I don't believe they've said this.

Cohen on Howard: Chapter 3

2007-03-25T07:36:00.000-04:00

Chapter 3 is on good security principles to live by.

Howard:

A protocol you designed is insecure in some manner. Five years and nine versions later, you make an update to the application with a more security protocol. However, the protocol is not backward compatible with the old version of the protocol, and any computer that has upgraded to the current protocl will no longer communicate with any other version of your application. The chances are slim indeed that your clients will upgrade their computers anytime soon, especially as some clients will still be using version 1, others version 2, and so on. Hence, the weak version of the protocol lives forever!

Cohen:

It tells us to remember that backward compatibility will always give you grief, which is why they discourage it. That's right, Microsoft does not want backward compatability, but we all knew that a long time ago. Of course the lack of backward compatability also implies that they didn't do it right in the first place and won't do it right now, or alternatively that there is no right, just eternal change. While this is a good business model, it is a poor information protection approach.

Nowhere in the text do the authors discourage backwards compatibility. They just point out that it is a major problem when insecure protocols are discovered. They propose a solution: make the newer protcols configurably backwards compatible, such that they can run in the less secure mode in a low-risk environment and in the more secure mode in a high-risk environment.

This is a common problem that people need to face. The book cites attacks on the SMB protocol that required a breaking change to the protocol. Other real-life examples exist as well: SSH1 had a design flaw and needed to be superceded by SSH2.

To say "the lack of backward compatability also implies that they didn't do it right in the first place and won't do it right now" is also incorrect. Sometimes protocols become weak due to unknown flaws in the underlying algorithms becoming known as they are cryptanalyzed by the research community, for example protocols which relied on MD4. At the time of creation, it may have been generally accepted to use these algorithms -- is it fair to say they didn't do it right in the first place? I doubt it.

Howard:

When was the last time you entered a bank to see a bank teller sitting on the floor in a huge room next to a massive pile of money. Never! To get to the big money in a bank requires that you get to the bank vault, which requires that you go through multiple layers of defense. Here are some examples of the defensive layers: [...cites examples of multiple layers of defense against vault robbery...]

Cohen:

They tell us that the most valuable part of a bank is its vault - did they miss the information age somewhere? They probably never worked on bank security. These days, the computers have far more value than the vaults (except the vaults that hold the computers of course).

Nowhere does Howard say the most valuable part of a bank is the vault. Rather, he motivates the need for multiple layers of defense in computer programs by relating how other industries protect their assets. It's certainly true that access to the software and data controlling the management of the bank's money is very important -- but this is the very thing he's trying to motivate through his analogy.

Cohen on Howard: Chapter 2

2007-03-25T07:23:00.000-04:00

Chapter 2 describes how to weave security into the traditional software development lifecycle from start to end, including training.

Cohen:

Chapter 2 misses by so much it's not even funny. The authors give fundamental misimpressions, for example, that secure software is equivalent to risk management.

At some level, secure software is risk management. As you secure software, you frequently make the software harder to use or less functional. Sometimes, you can get more security without sacrificing ease of use or functionality; but usually it's a balance that the authors of the code get to pick.

Howard:

Don't add any ridiculous code to your application that gives a list of all the people who contributed to the application. If you don't have time to meet your schedule, how can you meet the schedule when you spend many hours working on an Easter egg? I have to admit that I wrote an Easter Egg in a former life, but it was not in the core product. It was in a sample application. I would not write an Easter Egg now, however, because I know that users don't need them and, frankly I don't have the time to write one!

Cohen:

They tell us that no more Trojan Horses will be allowed in Microsoft software. It took them long enough, they used to call them "Easter Eggs", a public relation stunt to make it seem palatable, and one that worked in the large for many years. But this is a good thing and I am glad they finally decided to do this.

In computer lore, words have very specific meaning. The Jargon File is a definitive lexicon for nerd speak.

trojan horse : a malicious security-breaking program that is disguised as something benign
easter egg: a message, graphic, or sound effect emitted by a program in response to some undocumented set of commands or keystrokes

Cohen's use of the very negative phrase "Trojan horse" almost suggests that his review is a troll (conveniently defined on the page after "Trojan horse" in the Jargon File).

Cohen on Howard: Chapter 1

2007-03-25T07:06:00.000-04:00

Chapter 1 motivates the need for secure systems, and provides tips on how to convince your organization of the need.

Howard:

As the Internet grows in importance, applications are becoming highly interconnected. In the "good old days," computers were usually islands of functionality, with little, if any, interconnectivity. In those days, it didn't matter if your application was insecure -- the worst you could do was attack yourself -- and so long as an application performed its task successfully, most people didn't care about security.

Cohen:

The misinformation on the book starts in the 2nd sentence of the first paragraph of chapter 1 when we are told that security wasn't important before the Internet grew in importance and that the worst result would be that people could attack themselves. The first network-based global computer virus reached mainframes around the world in the late 1980s - and it did not involve the Internet. [emphasis mine]

Cohen has a point: The introduction of networks is what caused the shift in focus in computer security, and, as the Internet is just one such network, Howard's point is technically incorrect. Is it misinformation? Hardly. That implies some malice or motive.

Howard:

[...] So where do you begin instilling security in your organization? The best place is at the top, which can be hard work. It's difficult because you'll need to show a bottom-line impact to your company, and security is generally considered something that "gets in the way" and costs money while offering little or no financial return. Selling the idea of building secure products to management requires tact and sometimes requires subversion. Let's look at each approach.

Cohen:

Indeed, chapter 1 demonstrates just how poor the internal culture at Microsoft is. Such awareness activities as getting the boss to send an email and nominating an evangelist are really not about writing secure code as much as internally about convincing Microsoft to do what you want. It is valuable for salespeople no doubt.

It is unclear what Cohen draws on to support his statement about the poor internal culture at Microsoft -- indeed, the foreword to the book talks about the 2002 trustworthy computing directive from Bill Gates motivating the change in culture.

Howard:

Principle #1: The defender must defend all points; the attacker can choose the weakest point.
Principle #2: The defender can defend only against known attacks; the attacker can probe for unknown vulnerabilities.
Principle #3: The defender must be constantly vigilant; the attacker can strike at will.
Principle #4: The defender must play by the rules; the attacker can play dirty.

Cohen:

The lack of a basis for design shows up in Chapter 1 and it permeates the book. The four principles selected in the book are hardly what I would choose, but then I was not choosing. "Principle 2 - the defender can defend only against known attacks; the attacker can probe for unknown vulnerabilities" - an excellent example of why you need a design basis and how the lack of one leads you down the wrong path. "Principle 4 - The defender must play by the rules; that attacker can play dirty!" - what rules are those? My view is that this lack of a design basis, the lack of deep understanding of issues and a way to approach dealing with them, and the lack of a theory and a practice underlies the problem that Microsoft and much of the current programming community has with writing secure code. This book does nothing to solve these problems.

Cohen introduces the phrase 'design basis', but doesn't define it -- though he does lament the lack of them in most software. He complains that the principles presented are not those he would present -- but doesn't offer his own principles.

Cohen on Howard: Introduction

2007-03-25T06:53:00.000-04:00

Fred Cohen is a well-respected computer science researcher and professor in the security field. Michael Howard and David LeBlanc are well-respected software engineers in the security field.

They wrote Writing Secure Code, a book on computer programming security.

Cohen wrote a review of the book.

The review is posted on the IEEE Computer Society's Technical Committee on Security and Privacy website. That's a mouthful -- but it's also one of the most respected institutions in software engineering.

The review is 5,400 words long. It analyzes the book chapter by chapter and finishes with a suggestion for what the book ought to have been called:

"How poor quality programmers at Microsoft have produced hundreds of instances of the same 10 big mistakes in their code, and how they can do their jobs a little bit better".

The software engineering profession is often criticized for a perceived lack of rigor and professionalism. Read the review. Analyze it in context: one researcher criticizing another researcher's work, published on an electronic journal read by their peers. Doesn't say much for software engineering, does it?

This is the first of a series of blog posts. I am going to go through Cohen's review, chapter-by-chapter, and give the point-of-view of a 4th year software engineering student, who has interned at Microsoft on

a Trustworthy Computing team, working on the same team as David LeBlanc

the Microsoft CardSpace team, working on Microsoft's digital identity and privacy software

I actually received a free copy of the book when I joined Microsoft. It is also a required text for one of my school courses. When you read my commentary, remember my biases, and also remember my youth -- I am criticizing a man who has been in the field for 30 years. If I can find so many questionable points in his review, what does that say about our field?

ATEs at Waterloo

2007-03-20T13:49:00.000-04:00

Thanks, Waterloo!

From the short list of courses that meet the ATE requirements for me to graduate intersected with the set offered this semester complemented with the times of core SE courses, there are three courses I want/can take:

* ECE 493: Special Topics in ECE, 7th offering: Security
* ECE 454: Distributed Systems
* CS 452: Real-Time Operating Systems (The "Trains" Course)

The ECE courses require course overrides because I'm an SE student, and the CS course has only 6 spots for SE students (but 34 for CS -- even though at present there are only 6 CS students signed up for it).

What a treat! I knew this is why I signed up for SoftEng at UW!

I hate you Comcast

2007-03-15T04:05:00.000-04:00

Do you want my money or not?!

Last time it was: "Unknown error. Call 1-800-COMCAST."

This time it's: "Unable to localize to your account at this time. Please try again later."

What the hell do you have to localize?! Your site is English, I speak English. NO LOCALIZATION NECESSARY! GRRRRR!

Entropy

2007-03-13T00:53:00.000-04:00

At Payless Shoesource:

"Phone number, please," says the clerk at Payless Shoes to my housemate, Sarah.

"Umm, why do you need my phone number?"

"It's so we can track how well shoes sell at given stores."

Me now, "That makes no sense. Can you just type in 10 random digits?"

"Err, yeah, I could. But, really, given chaos theory, is anything really random?"

Well, actually, yes. "Well, actually, yes. The interarrival time of radioactive decay events are random." And from what little I know, I think chaos theory just says that some things that appear random, aren't random.

"Oh, but it just looks that way because the sample size is small. Taken over infinity, patterns would start to occur."

Twitch, twitch.

This reminds me of the time I phoned NET10 tech support.

"Can we have your email address, sir?"

"Why?"

"It's so we can email you advertisements about the product."

"I don't want to give you my email address, then."

"You don't have an email address?"

"No, I just don't want to give it to you so you can spam me."

"You don't have an email address?"

"That's correct."

"And your birthdate, sir?"

"June 14, 1911."

"Thank you."

Frugality

2007-03-07T23:26:00.000-05:00

Why don't I get a haircut? Why don't I have a cell phone? Why don't I have pants that aren't 3+ years old and full of holes?

Because I'm cheap.

Apparently, it's a common affliction in CS types. An acquaintance who works at Google finally upgraded her TV after getting maximum value out of the old one.

Standing water

2007-03-05T06:45:00.000-05:00

The insurance tags on my long-term rental from Avis just expired.

So I got it replaced, and now me and my housemates are the -- er, proud? -- drivers of a Chevy HHR.

This car feels like such a piece of garbage. It is a study in how now to do user interfaces.

Things are in all the wrong places. The driver's drinkholder is well behind his seat. The window controls are at about calf level. The most prominent dial on the instrument panel is the tachometer.

Oh, and the glove box is full of fetid water. That might be factory default, might be the performance package; I didn't ask.

Agape

2007-03-05T04:49:00.000-05:00

This past Saturday, I learned the true meaning of the word agape. And I don't mean the brotherly love kind.

Since coming to Seattle, I've heard a great deal about the local strip clubs. There's a war against adult entertainment going on, they say. No alcohol can be served - and this is just the first sortie. If those upright folk in City Hall get their way, strip clubs will be brightly lit, strippers will be behind a railing several feet away from the closest patron, tipping will be illegal, etc, etc.

Clearly, I had to experience this before it got legislated out of existence or I crossed into the land of the betrothed.

Thus, it was after obtaining business sign off from our significant others that Simon, Dan and I trotted off to Showgirls on Seattle's 1st Avenue.

Giddy on the naughtiness of it all, we seated ourselves and awaited untold dark, erotic adventures. As it turned out, we'd have a long time to wait and the adventures would remain untold.

Each dancer seemed to have about 90 seconds on stage to do her bit. Sex isn't hot when you're rushing to beat the clock -- turns out, stripping's the same way. It was a race to kick off the clothes, avoid making eye contact with the patrons, and get the hell off the stage. I couldn't help but compare it to Can Can, where parts of the cabaret-style entertainment were much, much more sensual. (Oh, and forget the no-touching rule: at Can Can, they invite you up on the stage to dance and get up close and personal. Granted, the person whose behind I had the unique opportunity to knead was a bit sweaty. And hairy. And male. But I digress.)

I get the feeling that there were only two folks at Showgirls who got their money's worth: Dan, who took a nap and a rather dimwitted-looking fellow in the front row who seemed unable to close his mouth for the duration of the time we were there.

PS: Kudos to Rodney, who, when informed that the plans for the evening included a strip club, simply said "no thanks, I don't agree with that and I don't want to do that". And congrats on your job offer!

Karatsuba

2007-03-05T04:25:00.000-05:00

I'm pretty sure I owe Jenn an apology for something like this when I was in CS 134 and implementing a class that could handle arbitrarily large integers with the common operations (addition, subtraction, multiplication, division, exponentiation).

I wanted to implement Karatsuba multiplication. It's marginally faster than gradeschool long multiplication. Yup, you heard right: marginally faster. And there was no bonus marks to be had. And hell, implementing multiplication was only worth like .1% of your final mark. And I was trying to optimize *JAVA*. Definitely a missing-the-forest-for-the-trees moment. I didn't end up seeing the results I expected, so fine, I said, fuck it!

And I went on to other pursuits.

But then... like the crescendo of a great concerto, the explosion of a whole sky's worth of fireworks and the crash of thunder all at once, it became clear to me: I was being sloppy with object creation in a tight loop!

And I think I also owe Jenn similar apologies for SE 141 (fastest clock rate on the Xilinx boards for project #3), CS 241 (removing the arbitrary restriction on the number of local variables supported by my implementation of SL) and ECE 354 (corner case where A5 gets destroyed on the MCF5307 when context switching).

Side note: Jenn and I had an epiphany after seeing a bike store on Hamilton Street in Vancouver. If we ever live in Hamilton, we will dispense with our cumulative 8 years of study of math and engineering to be the proprietors of a bike shop named the Hamiltonian Cycle.

Surgeons in a Half-Shell

2007-03-05T04:18:00.000-05:00

A friend of mine commented a couple years ago that we're going to be flooded with Hollywood remakes of the shows of our childhoods, since the kids who enjoyed the shows back then are now the artists producing the movies.

I guess medical school takes longer than film school, since just last week the xkcd guy produced this gem:

Why I don't have a cellphone

2007-03-05T04:05:00.000-05:00

My parents yell at me because I don't have a phone.

I tell them it's because cell phones are overpriced monstrosities, VOIP phones don't work and landlines charge outrageous installation fees for people who move around every 4 months.

In reality, it's because all these giant megacorps don't understand the Internet.

I mean, hey, it's only been around since '69. I begin to doubt how Telus knows that "the future is friendly" when they're still trying to catch up to the events of the 1960s. Hell, computers don't even remember what 69 is anymore. Because of the Y2K problem, if you told Telus's mainframe that you were born in "69", it'd think you were born in 2069. It probably wouldn't let you open an account and that would be a blessing in disguise.

Because, you see, with every account comes the bill. Every month.

Let's see here... that's potentially 1 internet bill, 1 cable bill, 1 phone bill, 1 hydro bill, 1 rent bill, 1 water/sewage bill, and 1 furniture rental bill, all of which need to be paid for every abode.

And if you're a lucky co-op student (what sort of interview is that smiling, squatting student preparing for? Porcelain Receptable Quality Assurance Engineer?), you have two houses. In different countries, too, where the megacorps involved are different, so you can't even consolidate bills for the same services.

Each month, I am either the primary recipient or co-recipient of 8 bills. And no-one uses the same billing cycle, so every 4 days, I get a new bill.

I'm happy to delegate the authority to dip into my bank accounts in the US or Canada. Despite working for a team that wants to make Internet transactions secure and traceable, I'm happy to release the keys to the kingdom. I'm happy to say, "Checking acct #602-1481-4, transit 1085, PIN 5152. Enjoy!"

But the megacorps's websites all seem to have the reliability of an emo, teenaged McDonald's worker. "Error #1048: Please call 1-800-COMCAST." "Sorry, PSE is down for scheduled maintenance!" "Cannot find tenant account." "The balance due for Rogers customer 600194018, as of Mar 5, is NOT AVAILABLE." "Can't validate your identity."

Fine, some of these are transient problems. But Rogers and Comcast -- ironically, both Internet service providers -- reliably fuck up.

For me, when deciding which services to subscribe to, I balance the high cost of remitting payment against the service's usefulness. Having a place to sleep? Sure. Being able to take a crap? Sure. Being able to take a call while doing either of these? Nah.

So, mom and dad, that's why I don't have a cell phone.

PS: Comcast, how can you have the gall to charge a $129 activation fee for VOIP service? Norrmally, I don't care about the one-time fees. It's the recurring fees I hate. But an activation fee for an Internet-based service?!

Let's see... if I remember my databases course rightly, that's something like...

INSERT INTO voip_customers VALUES ('Colin Dellow');

What is that, $2.30 per keystroke? At least with traditional phone service I can envision my beefy activation fee producing a hearty *THUNK* as a lever is pulled somewhere and the vacuum tubes are linked together.

Lindsay Slapdowns

2007-01-28T08:21:00.000-05:00

The Shoemaker quote reminded me of another time Lindsay pointed out the error of my ways. This time it was my misplaced belief in the existence of centrifugal force.

Clearly, the author of the xkcd webstrip had a similar experience in his formative years:

They're not all quite so nerdy. Well, they're all pretty nerdy. But some of them are good nonetheless.

A blog post.

2007-01-28T07:35:00.000-05:00

So, some of the powers that be are demanding that I blog more. My bad.

What's on my mind?

Rapid Changes in Technology Scare Me

Lindsay has a website.
Actually, over half of the Dellow family have websites.
Tyler is asking me questions about how to wire up websites to SQL databases.
My mom has contributed to a mailing list run by the IEEE.

I'm Really Bad About the Name Changes Weddings Cause

Not content to yell at me from her own blog, my sister recently left a comment over here saying I should post more. She signed it "LG". I thought: that idiot, she typoed her own initials.

Oops.

Kinda like that one school year when I looked over the list of teachers at Central Middle School and asked, "Who's Mrs. Shoemaker?" and Lindsay asked me if I remembered attending Ms. Fleming's wedding.

Oops.

Frying Pan... Fire?

I interned on Microsoft Office last summer. I wasn't sure I liked the idea of working for people who hadn't shipped anything since the end of 2003.

So now I'm on the Microsoft Windows group. Windows XP was shipped in 2001.

Oops.

Oh, and the specific team that I'm on was conceived after the spectacular failure of Microsoft's Hailstorm project, whose architect famously declared that Microsoft "doesn't know how to ship software anymore" before jumping ship for Google.

Oops?

Well, probably not. Here's a description of his new life at Google:

This week at Google, I spent three days in Mountain View, and the last two days working from home. My team includes guys in our New York Times Square Engineering office as well as folks in Mountain View. On Monday, I flew up to Mountain View and arrived in the office at 10am. I worked until 3am and guess what. I wasn't the last one in my area of the building the leave! There was plenty of company. All these guys are proud of their work, love what they are doing, and wanted to nail their deadlines and then take a few days off for the holidays. At 330am I arrived at my apartment, slept for a few hours, and then arrived at the office at 8am, grabbed a free hot breakfast, and put in another full day leaving work at 4am. Again, i was not the last one to leave. I work in an area where a team is preparing for an upcoming launch and 90% of that team was there when I left at 4am, and they were there when I returned at 830am the next day. On wednesday, I had a short day. I arrived at 8am and had to leave to catch my flight at 7:30pm. Those guys that were there at 4am when I left the morning before were still there, heading down for dinner when I left at 7:30pm. For me, thursday was a normal 12 hour day, and friday was the reward. We met our quarterly milestone and met our launch. I am confident that my friends who pulled a few all nighters this week will also lauch on time.

Mmmm, staying up til 4AM working for the man. Enjoying a "short" 12-hour day. If you're gonna do that, may as well be a ~~lawyer~~ articling student.

Bwahahahaha, University of Windsor's 4th year ECE courses...

2006-12-21T04:19:00.000-05:00

...are shameful.

A final exam for the summer 2003 offering of ECE 446 (Advanced Computer Software Systems) can be found here (PDF).

I wish my fourth year courses had this kind of piffle. Examples of the questions:

Multiple Choice
1. "Java programs must be saved with the following extension:" (choices: .java, .doc, .txt, .xls)

Fill In the Blank
1. Class _______ provides methods for drawing.
...
6. The ________ method of the Graphics class draws a line between two points.
7. GUI is an acronym for ________.

Answer to 1: Graphics.
Answer to 6: drawLine.
Answer to 7: graphical user interface.

A 4th-year core course with 4 questions that _anyone_ can answer? Ridiculous. And if you took a Java programming class in high school - no worries, you'd ace this exam.

Even if you didn't, the exam is full of poorly-worded questions that would allow language lawyers to argue for marks as well as redundant questions that would allow students to hedge their bets.

I'd say it was pathetic if I could convince myself this was for real. Here's the course description:

"88-446. Advanced Computer Software Systems
Operating systems; batch systems; multi-programmed batched systems; time-sharing systems; parallel systems; distributed systems; virtual machines; real-time systems; designing real-time systems; concurrent programming; exceptions and exceptions handling; message-based synchronization and communication; memory management; system threats; threat monitoring; encryption. (Prerequisite: fourth-year standing) (3 lecture, 1.5 laboratory/tutorial hours or equivalent a week.)"

Odd - sounds like a real course, not a "Teach Yourself Java in 21 Lectures(tm)" course. In fact, sounds a lot like ECE354 at Waterloo.

The Canadian Engineering Accrediation Board sucks...

2006-12-12T07:18:00.000-05:00

...for requiring 4 mandatory natural science courses in an undergraduate engineering curriculum.

I'm all for science, but it seems that scientists can't write textbooks for shit.

Example:

"We become aware of the importance of rivers in human history and economy as we name the major ones: Nile, Danube, Tigris, Euphrates, Yukon, Indus, Tiber, Mekong, Ganges, Rhine, Mississippi, Missouri, Yangtze-Kiang, Amazon, Seine, Zaire, Volga, Thames, Rio Grande. The names of these rivers, and many others great and small, ring with a thousand images of history, geography and poetry. The importance of rivers to human history, ecology, and economy is inestimable. However, river ecology has lagged behind the ecological study of lakes and oceans and is one of the youngest of the many branches of aquatic ecology. In the past couple of decades, however, river ecology has, as all youthful sciences do, exploded with published research, competing theories, controversies, and international symposia and now claims a well-earned place beside its more mature cousins."
M. Molles, Ecology: Concepts and Applications, 3rd Ed.

Just in case you couldn't make it through that paragraph, here's a summary:

# of commas: 31
# of rivers painstakingly listed by name: 19. Nineteen.
# of times you are told rivers are important: 2
# of references to international drinking parties: 1

"The names of these rivers, and many others great and small, ring with a thousand images of history, geography and poetry." What right does that sentence have to exist at all, much less exist in a textbook?

"In the past couple of decades, however, river ecology has, as all youthful sciences do, exploded with published research, competing theories, controversies, and international symposia and now claims a well-earned place beside its more mature cousins." Durrrhh... science causes debate! Ironically, the conclusion to the paragraph is the only thing that's textbook material - and then only as an example of how to pad out your word count by saying nothing meaningful with lots of words.

Even though it tries to be lyrical and full of imagery, the paragraph isn't very engaging to read. Let's rewrite it the way one would expect an expository paragraph in an engineering textbook to read:

"Rivers are important. River ecology is also important. However, as a relatively young branch of ecology, it's full of theories that no-one agrees about."

Much less painful -- and only 2 commas!

Software quality metrics

2006-11-29T02:28:00.000-05:00

I bet you the software world is the only one which allows the makers of one product to claim that its competition's product is only 0.000000002% as good of a product?

I used to think it was stupid that people claimed Windows 2000 was 50 times more reliable than Windows 98 -- such precision! such a bold, factual statement! -- but to claim your product is 4,900,000 times better? That's messed up.

Shock and Awe

2006-11-18T17:40:00.000-05:00

Mostafa Tabatabainejad, a student at UCLA, was using the university's library when he was asked to prove that he was indeed a student. This is a standard and well-known security policy that is in effect during the evenings.

Mostafa refused to present ID, and refused to leave when asked. Police officers attempting to remove him by force met resistance: he was tasered, handcuffed and dragged out of the library.

En route and in handcuffs, he was tasered at least twice more by the police officers. Outraged students videoed it with their cellphones -- you can see it here if you really want.

I just think it's funny that the next day the student paper describes the student population as being "shocked and frustrated".

Boo Air Canada

2006-09-15T19:25:00.000-04:00

Well, I'm back in Waterloo.

Furfle, however, is not. The ever graceful baggage handlers at Air Canada broke his CPU mount in transit from Dawson Creek to Toronto. $800 later and I have a computer which is the third incarnation of Furfle. However, it contains no original Furfle parts.

On the plus side, this gave me an excuse to get a computer that was powerful enough to run Windows Vista. This is good for two reasons: one, I need it to prepare myself for my next work term; and two, it has snazzy speech recognition features.

In fact, as you might expect, this entry was dictated.

The ultimate test, however, will be using it to dictate my work term report. That looks to be the next 48 hours of my life -I'll let you know how it went on Monday.

I'm a bad blogger

2006-08-14T03:56:00.000-04:00

I'm a crappy blogger. I've had an amazing summer in Redmond, and I've posted exactly 3 times. Is my posting in peril? Am I banishing blogging? Excel to the rescue!

(note: graph made in Excel 2000. Not Excel 2007. Not Excel 2003. Not even Excel XP. Don't tell my bosses, they'll fire me.)

The general trend seems to be that I post a lot towards the end of terms, and usually mostly on work terms. So why not this work term? Didn't I do anything cool?

Let's see, here the list o' stuff I did in the last 3 months:

Mission Impossible: III (May 13)
Took the Underground Tour, and learned about Seattle's origins (May 20)
Watched the Cirque du Soleil's Varekai (May 25)
Attended Bob's 60th birthday party in Vancouver (May 27)
Gave Dad a whirlwind tour of MSFT (May 28)
Climbed the Grouse Grind (June 3)
Watch the 9-o'clock cannon go off in Stanley Park (June 4)
Watched the Twins at the Mariners; extra innings & 2 grand slams (June 7)
I made Jennifer's day (June 8)
Attended Mike & Adrian's wedding in Saskatoon (June 30-July 2)
Pirates of the Caribbean (July 7)
Microsoft Intern Puzzleday (July 15)
Turned legal drinking age for the 3rd time (July 20)
Jenn visited! During a heatwave, though! Still, we did:

The Experience Music Project (July 21)
The Science Fiction Museum (July 21)
Pike Place Market & the Seattle Festival (July 22-23)
Doubletake Exhibit (July 21)
Dinner at The Nicest Restaurant We've Ever Eaten At (July 24)

Trivia Night @ Red Hook Brewery (July 26)
Microsoft Intern Game (July 29-30)
Saw the Blue Angels (August 5)

And, of course, my job, where I coded the Reaper. With a name like that, you know it's gotta be cool.

PS: Hints for my twisted puzzle from last time: They're paintings (note that one of them is the Mona Lisa, and the title refers to Holland Berkley, a painter). The comments next to them are important for two different reasons. There is an intentional mistake in the labelling of La Gioconda. And the editor I'm using is VIM.

9 hours later...

2006-07-17T02:43:00.000-04:00

I just took part in my first Intern Puzzleday.

Puzzleday is a themed competition where interns form teams of 10-12 people and attempt to solve 34 puzzles. The answers to these 34 puzzles are the keys to a 35th puzzle which leads you to the grand solution - for this year, it was King Solvs Afew's missing crown and sword. Our team was one of the 12 (out of a total of 43) teams to complete the whole solution in the 7 hours allotted. It was a blast - and probably the tipping point for me in viewing Microsoft as a cool place to work.

Which is kinda weird. You'd think having the keys to the kingdom of Watson would be enough, but it turns out it's the crazy people dressed up in robes and tights that did it for me.

It was total fun - I'll try to blog the highlights of it later, but for the moment, here's an open challenge to anyone who's nerdy enough to solve it:

Colin's Version of Holland Berkley's Announcement

Apologies for the quick mockup in VIM. I'm not much of a painter.

Tip for new puzzlers: Extract a description of the picture. Then anagram it to something that relates to the title of the puzzle.

You know things are bad when...

2006-06-21T13:47:00.000-04:00

...you need to use a 4-processor server with 4GB of RAM to use Excel 2007 effectively.

SharePoint Designer 2007...

2006-06-12T16:36:00.001-04:00

makes me want to cry. It's so close to being super sexy, but it's not quite there. :(

Bank of America credit card numbers...

2006-05-16T02:01:00.000-04:00

can be generated by applying a simple algorithm if you know the person's Bank of America account number.

And guess how you activate a brand new credit card? By making a purchase with it.

Dan and Sarah have received their cards; I haven't. We're going to see if I can make a purchase with my credit card without having laid eyes on it -- now if only I can find something to buy!

For the love of code

2006-04-29T02:19:00.000-04:00

A lot of programming is CRUD, create/read/update/delete -- the usual operations for business applications. A lot of programming is also crud -- ugly.

However, some programming is beautiful.

Quines

this online interpreter

    ((lambda (x)
       (list x (list (quote quote) x)))
      (quote
         (lambda (x)
           (list x (list (quote quote) x)))))

The Medium is the Message

this

Spam Filtering

(let ((prod (apply #'* probs))) (/ prod (+ prod (apply #'* (mapcar #'(lambda (x) (- 1 x)) probs)))))

Freedom of Speech

Isn't this one good looking llama?

2006-04-29T02:02:00.000-04:00

He just looks so damned content. Clearly, he's a worldly llama, too -- this is the standard tourist-in-front-of-impressive-landmark picture seen everywhere. If he were in Maui, he'd have a gorgeous lei on his neck and a pina colada nestled between his forelegs.

Click for larger version.

WatPubs

2006-04-26T16:44:00.000-04:00

Waterloo people heading out of town for the summer: Sign up for WatPubs!

It's basically a convenient way for someone to organize social opportunities for interested students. I'm the WatPub co-ordinator (I think...) for Redmond for summer 2006 - so especially if you're working for MS or Amazon, sign up!

3A is over!

2006-04-20T11:12:00.000-04:00

Yay! With CS457's exam done, 3A is finally over and it's time to pack up and head for home.

Note - a course where 1/3 of the students fail the midterm is a good course. It means the final exam has questions like: "For 16%, is 10 less than 14?"

Immigration papers

2006-04-18T23:57:00.000-04:00

My immigration papers came today.

I was relieved to see the USA possesses the full complement of alphabetic bureaucratic crap. I'm the proud owner of a J-1 visa, complete with the DS-2019, G-28, I-94 and I-901 forms to prove it.

Microsoft internship

2006-04-04T22:53:00.000-04:00

So I'll be working in the Office Shared Services group. Part of this group's mandate is the Error Reporting features you see in Microsoft products (Oops -- your computer crapped itself! Shall we yell at people at Microsoft for you?)

I sure hope I'm not working on testing the new Error Reporting features: http://www.metacafe.com/watch/88657/share_the_pain/

User interfaces -- making Windows suck less

2006-04-04T01:38:00.000-04:00

Windows sucks. Don't get me wrong, all the other OSes suck, too.

Why? Let's talk about MOOs. They were invented 16 years ago by Pavel Curtis in a research laboratory. To give you some historical context, this was just before Windows 3.0 was released. Linux was yet to be created; MacOS was sitting at System 7. MacOS 7 and Windows 3.0 sucked - they were largely static beasts with little ability to configure them and make them react intelligently to the user.

MOOs, on the other hand, were amazing beasts. A MOO is a virtual world on the Internet, divided into rooms and populated with people and the objects they create. Forget MSN Messenger -- just use the in-MOO paging system. Forget e-mail and mailing lists -- just use the in-MOO mailing system.

But what I think was truly the drawing point of MOOs for many of us was the control over your environment that they offered.

Want to be in more than one place at once? Code up some minions to park themselves in other rooms and provide a two-way communications link. Need discretion? Code up some detection countermeasures -- but don't get caught, as "bugging" rooms is usually grounds for excommunication from the virtual society.

Do you find yourself frequently chatting to the same people? Screw typing repetitive commands over and over again -- bang out some code to have the system remember your last contacts and redirect conversations accordingly. Not interested in hearing what one person has to say? Rewrite your communications code to throw everything they send your way into the garbage can.

So what does this have to do with user interfaces in the context of Windows and its friends? Well, as I've said, MOOs let you mediate your reality and pretty much every MOOer with a programmer flag had custom routines to interact with their virtual world. They could do this because they had the confidence that when they logged in, regardless of whether or not they came from school, home or an Internet cafe, they would have the same commands available to them. The benefits of customizing your reality are limited if you can't get consistency -- indeed, one of the punishments of the virtual society was not banishment from the realm, but rather temporary banishment from your character and its customizations.

Windows, 16 years later, can't offer me this. When I'm working on code and need to switch computers, not only do I lose the environment I have customized and launched, but sometimes I lose access to the underlying tools themselves!

Why can't I take a snapshot of my computer -- including what applications are open, where windows are positioned -- and then transfer it to another computer? Hell, why can't I define certain contexts, and switch amongst them while working? e.g. a banking context (launch Firefox and log in to TD and RBC); a CS assignment context (load up my editors, connect to the UNIX terminal servers, load up any reference docs I had open).

Hey, why can't I define contexts on the fly as tasks come to me? Relevant examples lately in my life:

Apartment search in Redmond - including websites about Microsoft housing benefits, apartment complexes in Redmond, Gmail virtual folder including all correspondence, notepad with notes about deadlines and next steps
Finalizing Microsoft intern contracts - documents to be filled out and faxed, important contacts at Microsoft, receipts that I will need to get reimbursed in a month's time

Within this context, I can track my ongoing tasks very easily and switch between them effortlessly by calling up their contexts. When there's no work left to be done in a context, delete it. Simple as that!

I'm currently coding up a set up programs that provide this basic functionality -- and that can reside on a USB key, thus allowing me to have my contexts accessible to me on any Windows XP computer.

I'm unhip because I didn't pimp a Web 2.0 product until it was in public beta

2006-03-21T17:56:00.000-05:00

To prove my hipness, Riya's private beta signup link.

Oh, and you're in it.

(Actually, I wonder how that works. If you register with carbolicsmokeball, will they grant you access to my private photos of you? Hrm...)

Pandora

2006-03-18T13:58:00.000-05:00

Do you like music?

Then check out Pandora.com.

(Thanks, Jingyuan!)

Dan's addiction

2006-03-11T17:27:00.000-05:00

My friend Daniel has a problem. He's got an addiction. He has incessant cravings. He just can't get enough... books.

Yesterday we sat down and tabulated the books that he either owns or has been loaned at gunpoint and told to read.

The tally sits at just under 10,000 pages contained in 36 books. Have fun, Dan! May I recommend David Allen's classic?

Dvorak keyboards

2006-02-20T18:55:00.000-05:00

So, I have made one more ergo tweak:

I have begun typing on a Dvorak keyboard.

It's weird. But, it offers much more balance between left and right hands as well as much less hand motion in general (think like 50% less).

But, bah, muscle memory is hard to override!

(This post took four minutes to type.)

Addendum

2006-02-20T03:17:00.000-05:00

Also, I've stopped cracking my knuckles. Although not related to the commoner RSI symptoms, cracking knuckles can apparently cause weakened grip strength.

The more you know, eh?

Tingly Numbness

2006-02-20T01:41:00.000-05:00

So last week I had this tingling feeling in my hands.

And occasionally my fingers felt kinda numb.

And typing was difficult -- my fingers weren't as nimble as they should have been.

Do you know how scary that is? You do -- great! Now imagine you're me. I exist through my computer. It's how I communicate, how I learn, and how I do my work. It is probably the most consistent source of joy in my life. Call me a nerd, but I love seeing what technology can do. I love how it connects people. My computer, but more so my ability to type, is largely, horribly, irreversibly tangled up in my definition of self.

Now picture this scenario if you were me: the one tool that has defined you since you were 5 and you cannot use it. Even though you have the knowledge within your brain to make great things happen, you cannot force your hands to make real the impulses you have. The nerves just aren't doing their job. Sorry, Colin: no love for you today! Try sleeping... maybe tomorrow the problem will just magically go away!

And for a week, I did just that. I slept, and I hoped. I slept, and I hoped. I slept, and I hoped. I slept, and I hoped. By the time I got in to see the doctor, the problem had (mostly) gone away. The doctor told me I had aggravated my ulnar nerve likely based on how I sit. Nothing to worry about, just pay more attention. And today, I feel mostly back to normal.

But for a week, I was silently scared shitless. Know the feeling you get when you whack your funny bone? That's because you've pissed off your ulnar nerve. So, while it was great to hear that I probably don't have RSI, I was, to repeat myself, absolutely scared shitless. Living with a lifelong buzzing in my arms is NOT what I envisioned when I was young.

So I'm treating this as an enormously lucky break and the world's loudest wake-up call. I've done a lot of research into RSI and ergonomics. I'm ditching my $10 existing keyboard for a $130 ergonomically happy keyboard. The benefits:

Less force to depress individual keys
Much more neutral pronation in the wrists
Non-alphanumeric keys are distributed equally over left/right hands (e.g. function keys, arrow keys, page down/up, home/end)
Narrower profile on desk, enabling mouse to be closer to body

I'm also going to pick up a $10 gel mousepad with wrist support. My mouse is a moderately ergonomic one, and I think with wrist support and being that much closer to my body due to the new keyboard's reduced profile, it'll be just fine. Plus it was a Valentine's day gift from Jenn -- it's got sentimental value!

As well, I've installed Workrave. It's a free program for Windows, Mac and Linux to remind you to take rest breaks as well as micropauses throughout the day. It'll even lock your computer to encourage recalcitrant people to take breaks.

Lastly, I'm doing research into daily stretches I can do strengthen the weaker muscles in my hands, wrists and arms.

If you're a computer nerd and you've had any of the symptoms of RSI -- weak grip, tingling, numbness, clumsiness, difficulty sleeping due to your wrists/hands, pain in the upper arms, pain in the forearms -- go see a doctor! And start doing research on typing injuries! And if you're not in pain now... remember this blog post just in case something happens in the future.

Google Groups

2006-02-16T01:21:00.000-05:00

so, in case any one of my loyal readers should go snooping on Google Groups, let me address some issue that will doubtless pop up.

The issue is about this message right here.

Lemme quote what "Colin Dellow" said:

I feel that the government is spending too much money on things that we can gert by without. People are living without necessities due to the goverments taxes. Its time to start cutting out some things which aren't vitally important. These kids will still be able to find work.

Now, sure, I was raised in a rather conservative part of Canada. And hey, I'm a precocious kid -- look at me here, age 13, asking a group of C programmers which is the better TCP library to use: Waterloo's stack or DJ Delorie's.

But come on. I'm suggesting we should cut funding for gifted programs at age EIGHT ? That puts me in grade three. In a school that doesn't even receive funding for gifted programs. Now sure, perhaps my adolescent self was royally embittered at the bastards in the public system, with their marble urinals, their gold-plated drinking fountains and their 5-to-1 teacher-to-student ratio.

Or maybe my brother "typoed" his name. For crying out loud, this wasn't even sent on Usenet -- it was sent on FidoNet. If you're not a big techie nerd, an analagous statement would be: For crying out loud, this wasn't even transmitted via telephonic wires -- it was sent via carrier pigeon. Hell, I'm surprised "Colin" didn't have a Flock of Seagulls lyric in his signature block. And a mullet. And clothes in neon orange and green hues. And the middle name Paul.

OARBS gets a news article

2006-02-16T01:17:00.000-05:00

OARBS recently got a positive article (warning: pdf) in the Toronto Metro, a commuter paper with an estimated circulation of 400,000.

The story's basically a hometown-kid-does-good fluff piece on Dan and has already generated 3 inquiries today. Huzzah!

For some reason though, the thing that makes me most giddy is the fact that I now have a hit on Google News in addition to my hits on Googles Web, Local, Images and Groups (can you tell? Google is my Pokemon. Collect them all!)

Seattle

2006-02-05T21:31:00.000-05:00

What do two procrastinating nerds do with Google Earth, a broadband internet connection, high school algebra, PERL and a variety of songs?

They make a video.

The Corporate Monopoly That Refreshes

2006-02-04T22:33:00.000-05:00

...it's like they knew I was coming.

Other cool things that Dan and I found on the Microsoft campus:
* Very foresty parking lots
* Beach volleyball courts, soccer fields and baseball diamonds