Ben Laurie blathering

27 Apr 2009

Three Books

Filed under: Books — Ben @ 10:00

I do most of my reading when travelling (have to find some way to fill in the email gap), and the last three books I’ve read have been notably great. So, in no particular order…

Musicophilia: Tales of Music and the Brain, by the slightly insane Oliver Sacks. I generally enjoy Sacks’ books but they always feel a bit light on science. This book is different – full of fascinating anecdotes backed up by actual research. Most astonishing is the way that music can have a radical affect on people suffering from very debilitating conditions, such as Parkinson’s and Alzheimer’s. Great read.

Old Man’s War by John Scalzi. The cover compares Scalzi to Robert Heinlein. This strikes me as entirely unfair; Heinlein’s books are entirely populated by Heinlein talking to himself (if the character is male) and brainy bimbos that are hoplessly in love with him. Scalzi manages a much grittier and highly engaging version of Starship Troopers (which is admittedly a classic, even if Heinlein did write it).

Finally, Crooked Little Vein by Warren Ellis. A high speed romp through the perverts of the modern age by the world’s unluckiest private investigator in search of the lost, secret, alternative constitution of the United States of America, under the control of a monkey-crap injecting Most Powerful Man In The World. Really. Apparently it was supposed to shock me (said the back cover) but I was mostly laughing.

7 Apr 2009

Trust Me, I’m Signed!

Filed under: Rants,Security — Ben @ 15:30

The W3C recently announced their spec for signing widgets. Signing things is a good idea, if you’d like to be assured that they come from where you think they come from, or you want to detect tampering. But I would have hoped we were way past statements like this

Widget authors and distributors can digitally sign widgets as a trust and quality assurance mechanism.

If trust and quality were assured by signatures then our lives would be so much easier – but sadly it is not so. Indeed, it is so much not so that CAs, in an amazing piece of marketing, have managed to persuade us that, since they work so poorly for trust, what we should do is pay them even more money to get more robust signatures (a.k.a. EV certificates)!

Anyway, I was sufficiently irritated by this stupidity that I felt it necessary to remark on it. Which prompted this absolutely brilliant response from my friend Peter Gutmann

From the report:

Of signed detected files, severity of the threats tended to be high or severe, with low and moderate threats comprising a much smaller number of files:

Severe 50819
High 73677
Moderate 42308
Low 1099

So there you go, signing definitely does provide a “trust and quality assurance mechanism”. If it’s a CA-certified signed rootkit or worm, you know you’ve been infected by the good stuff.

“the report”, by the way, is a large scale study by Microsoft which makes for some interesting reading. In particular, they also acknowledge that even the promise that signatures would at least let you track down the evil bastard that wrote the code has proven empty

Though also intended to identify the signing parties, Microsoft has been unable to identify any authors of signed malware in cooperation with CAs because the malware authors exploit gaps in issuing practices and obtain certificates with fraudulent identities.

CodeCon Is Back!

Filed under: General,Open Source,Programming — Ben @ 10:43

Unfortunately, I can’t be there, but the lineup looks great. The bio-hacking track looks particularly fun.

Not long to go now, less than two weeks. Sign up!

Powered by WordPress