The Daley Devlin - Home

Usable Security's Stumbling Block: The Chicken and the Egg

2008-07-14T20:30:00Z

One of the main problems, as I see it, with security research is the chicken and the egg. Let’s say you come up with a snazzy new protocol, but this protocol requires a smart client (or modification to a browser). Additionally, you have some identity providers that are not terribly difficult to develop, but are not deployed. Now, how do you justify deploying all these modifications or new service providers if there are no clients to take advantage of them? On the other hand, how do you justify upgrading all the clients to support a protocol that has no identity providers?

The real answer is that you compromise. Either you find some company whose business model can benefit directly from the technology and have them be a champion, and hope that you can get enough marketing (yes you heard me, marketing) and people interested that it creates some momentum and adoption.

One of the coolest protocols I’ve read about is SRP. It’s the bomb, really. Password based, strong cryptographic properties, mutual authentication—both the client AND the service provider are authenticated, phishing attacks to obtain your password are not an issue. I could go on, it’s got some serious coolness. Additionally, some work at BYU shows how it can be extended to make it solve a lot of problems that OpenID is aimed at, without the drawbacks. (Heck, it even allows you to delegate access to other users.)

Problem is, SRP and its extensions require a smart client, and modification of service providers. Chicken and the egg. Drat.

Thoughts:

I’m wondering if it can be adopted by compromise, by providing a signed java applet to perform the smart client responsibilities for wireless authentication.

Another thought, what if you could get one half of the problem solved, like getting widespread deployment of the smart client, the other side could very easily drop into place.

Early Adopters

Interesting tech is usually adopted by the geeks before it goes mainstream. Now, not all things the geeks embrace make it mainstream, but a lot of things mainstream were solidly in geek territory in the beginning. One way to get early adopters is to:

make a polished smart client for the linux desktop (gnome/kde)
on the server make your software as easy to use as an apache module etc.

The key is real solutions that at least the geeks can use today.

Ride Someone Else’s Coattails

OK. Everyone agrees that smart phones/smaller devices are going to be a key part of the foreseeable future. Why not use this trend to lift usable security mechanisms out of their academic tar pit? Just to be controversial I’m going to say Android is going to be huge. What if someone stepped up, and implemented this slick, efficient, just-what-the-doctor-ordered password smart client for the Android platform that happened to support SRP? Let’s say it took off like the iPhone, I think it is realistic to see broader adoption of SRP across the board if, in a year after launch there are 90 million installed clients with active users.

Accessing On-Campus Digital Libraries From Home

2008-04-24T04:10:07Z

You’ve run in to this before. You’re at home, looking up some academic papers and you always run in to a couple that you can’t track down on the internet at large. You’ve got to get them from on of the major digital libraries. Sure, your university has a campus subscription—but you’re not on campus. You flounder trying to get something to work from the command line. No dice.

Here’s my trick.

Use SSH to set up a proxy back to your campus and send your web traffic through the campus network so that it looks like you’re on campus. I’ve got a Mac so ssh is easily available from the command line. I have gotten this to work using Putty on Windows though.

SSH supports SOCKS (a protocol for proxying traffic). It will open up a port locally (of your choosing) and any traffic to that local port will be carried over your secured ssh connection and come out the other side and the remote host you’re connected to will proxy all the data.


    ssh -D 9000 username@cs.yourschool.edu

With this command ssh will listen on your localhost on port 9000. Configure Firefox to use a web proxy, Firefox -> Preferences -> Advanced Tab -> Network -> “Configure how Firefox connects to the Internet” . Choose the Manual proxy configuration radio button. For the SOCKS entry the host is, localhost, and the port is whatever you specified for the -D option (I used 9000). Hit OK and you’re done.

Firefox will now pipe all your web traffic over ssh to your remote server. You are now “on campus” as far as anyone looking at your origin IP address is concerned.

I’d turn off the proxy (just set it back to no proxy in Firefox’s settings) after downloading what you’re after to avoid any network delay.

This technique is sometimes useful in situations at conferences where the wireless is blocked on port 80, but not on port 22 (ssh’s port). This is completely unconfirmed—you didn’t hear it from me.

Taking Screenshots on the Mac

2008-01-17T23:51:00Z

I’m writing this down so I won’t forget.

First, there’s the utility “Grab” in Applications/Utilities. It doesn’t have a window, you use the program menu or the keyboard shortcuts. After you take a shot it pops up a window with the image that you can save anywhere you want. By default it outputs TIFF images.

My preferred method is to use the keyboard shortcuts built into OS X. It generates crisp PNG image files of the screen.

apple command key + shift + 3 will take a capture of the entire screen (or two captures if you’re running a dual-head setup) and automatically save it as a PNG file on your desktop. It will be named Picture 1.png, where the number is auto-incremented with each screenshot.

apple command key + shift + 4 changes your cursor into a bulls eye. Whatever you select ends up the same as before—a file with the same naming convention on the desktop.

apple command key + shift + 4 when you’ve got the bulls-eye cursor hit the space bar. It changes the icon to a camera. It takes a picture of the selected application window—the selected window will be highlighted in baby blue.

Hassle Me

2008-01-16T23:53:01Z

HassleMe is a cool looking free service that I ran into recently.

Not eating enough fruit? Forgot to feed the fish again? Need a little help keeping your New Year’s resolutions? Tell us what to hassle you about, and we’ll nag you via email at semi-unpredictable intervals.

I like the simplicity of it. I also like that you can configure a rough timing scheme. I could see myself configuring a ‘hassle’ everyday for only a short time. Either it would get ingrained into my head to do the thing everyday and I wouldn’t need the nagging anymore or it would be too much and the virtual nagging would become a little too real.

It would be fantastic for things that don’t happen quite as frequently. I know I’m no the only one that on occasion realizes that a month has passed by without me knowing.

Methinks the integration can go just a titch deeper – instead of just reminding, allow the notification to be actionable. For instance, if I mail you a reminder to blog, if you respond to the email, your response could be posted directly to your blog. Same goes for a journal.

An identity system with a delegation mechanism is really needed here. If I really want this service to post to my blog, well, I shouldn’t have to give it my blog password. I should be able to grant access to an application (the reminder service) to post a blog entry or whatever else without me disclosing my password. AtomPub can get us a lingua-franca to converse with all these web services, but it doesn’t provide the identity part.

Java Java Everywhere, but not a drop to Drink

2008-01-16T22:40:36Z

There are a lot of things going on over in Java-land that are bringing up the question, what exactly do you mean by Java? and what does the future of Java look like?

JRuby, Jython, Groovy and Rhino, these are all projects that show that Java as a language is not the future, but Java as a platform has a long and prosperous future.

On the other hand, Android is showing that the virtual machine isn’t the essential piece—it’s the syntax, the language. Android is using “java” but targeting their own virtual machine , dalvik instead of the JVM.

Which is it? I’m not sure. Both developments are heading in opposite directions, but both directions look promising. Conclusion: Java the platform|language|OS|whatever isn’t going away any time soon and what we think of as Java is definitely going to change.

Flash Conference

2008-01-16T06:16:00Z

Out of the fuss over the parody video ‘Here Comes Another Bubble’ (succinct summary) an intriguing idea is set forth over at scripting news

Most conferences are so boring. I want to do a conf on a hot subject when it’s still hot in the blogosphere. This may be a good subject for such a quickly organized conference. What do you think of the flash conference idea for this??

I’ve never though about a flash conference before. Not just for this topic, but so many others as well.

Fantastic idea. Love it.

Tip: Bibtex in Google Scholar just saved a few years of my life

2008-01-14T22:13:07Z

I use Google Scholar among other academic searches to find work related to my research. Other citation references supply a Bibtex entry for generating bibliographies. It wasn’t readily apparent to me, but Google Scholar does have this feature, you just have to turn it on.

Go into the Google Scholar Preferences and change the ‘Bibliography Manager’ to “show links to import citations into Bibtex”. Other options for bibliography management are: EndNote, RefMan, RefWorks, WenXianWang.

Oh and while you’re in there, set the results per page to something more reasonable like 50.

Happy hunting on your related work searches.

First Bluetooth Device

2008-01-11T18:04:50Z

At home we have a MacBook. My wife can’t stand using the trackpad—she’s got to have a mouse. For our anniversary I got her a Kensington bluetooth mouse. I wanted a bluetooth device because I didn’t want any USB receiver sticking out the side to get bumped or broken. Took all of 45 seconds to hook it up.

Seamless.

Is that because we’ve got a Mac or is it because Bluetooth is cool?

Greasemonkey just saved a few years of my life

2008-01-10T23:54:48Z

I’m a big fan of Google Reader. Let’s just say I’m subscribed to more than a few feeds. I use the keyboard shortcuts to quickly read and scan through my reading list. To keep my pace I’ve come to open articles that I want to think about more, or ones that I want to read more in depth in background tabs. Usually this involves the laborious task of moving my hand from the keyboard and middle-clicking with the mouse. Painful. Time-wasting. Distracting.

Enough is enough, so I decided to create a Greasemonkey script to bind a keyboard shortcut to opening an article in a background tab. But, what magical javascript incantation is required to open a tab?

Turns out that Greasemonkey doesn’t only allow you to add functionality via javascript to any webpage, it also provides privileged functionality that is not available to normal javascript running in a webpage. One of those methods is, opening a url in a background tab .

All the hard work goes to Sunny Wu who provided the solution. I tweaked his version to use the “h” character instead of “v”.

I wasn’t sure what kind of event this handler receives and so I wasn’t sure how to determine that a “h” was pressed. Firebug to the rescue, I just added the following line to just print out the value to the Firebug console.


console.info("key=", event.which);

Sidenote: Ever wonder what event is sent for crazy modifiers like shift+3 or shift+s? I thought it might be something complicated—where you’d check if modifier keys were pressed on the keyboard event. I was thinking too much. Shift+3 ends up sending a #, shift+s sends a capital S. Who would have thought?!

Just change the first “if” to compare against 104 instead of 118 and h is the man.

I changed to h since, well, first, v currently opens the article in another tab that immediately takes focus—handy at times. Second, well, if I use h instead, I can navigate mostly with just my right hand :)

Firefox Tip on the Mac: Tabbing through Select Fields

2008-01-10T00:33:38Z

By default, on a Mac in Firefox, tab moves from one form element to another—except it will skip radio buttons, checkboxes and drop-down select boxes. I have suffered in silence since I started using the Mac. I finally found out that this too can be remedied. Hooray!

There is an actual setting in the Mac OS that produces this behavior. To change this so that tab treats all form elements with equality go to: System Preferences -> Keyboard and Mouse and select the tab Keyboard Shortcuts. On the bottom you will see a setting for “Full Keyboard Access”. Just set it to All Controls. This setting will take effect right away, no need to restart Firefox.

Found this in the comments on John Resig’s blog

Slides of Reputation Presentation at Digital Identity Management Workshop 2007

2007-11-20T05:01:00Z

You know how a lot of people, when they post presentation slides, say that it’s really difficult to “get” the presentation from just the slides? Well I mean it. Seriously. My slides have very few words. If you’re still interested, be sure to check out the actual paper (pdf).

I don’t use PowerPoint or the like, instead I use a XUL application that runs in any Mozilla based-browser (like Firefox, Camino, Netscape etc.). In order to see the presentation, you’ll need to use one of those browsers.

This presentation was given at the Digital Identity Management Workshop of CCS in Virginia on 2 November 2007.

Reputation Presentation at DIM 2007

To download the presentation to view it locally I’ve also bundled it into a zip file

These slides were presenting the paper Using Reputation to Augment Explicit Authorization

The essence of our argument is that there is a spectrum of authorization approaches.

no authorization
authentication as authorization (where you can do anything if you are only able to log in)
explicit authorization where someone has to manually grant access to another person.

The first two can be automated, no manual intervention required. The gap between the second and third is considerable. We believe that reputation can be used to bridge that wide gap giving systems many characteristics of explicit authorization in an automated way, so that the system itself can be self scaling (in terms of authenticating users).

MountainWest RubyCamp This Saturday, 17 Nov

2007-11-15T00:37:00Z

The summary:

MountainWest RubyCamp 2007
Saturday, November 17th 2007
1:00 PM – 4:00 PM
Salt Lake City Library
Level 4 Meeting Room

The organizers have asked that if you’re coming to put your name on the wiki page

I’ve never been to a “Camp” before but I hear they are like “unconferences”. I go to the Internet Identity Workshop which is an unconference, and the results have been fantastic. Those who come are actively involved in the discussion, it’s quite refreshing.

I don’t know if I will present or not. I could lead a discussion and get people up to speed with the digital identity landscape—OpenID, CAS, InfoCard and some secret sauce :)

If you’re interested but a little put off that it is specifically about “Ruby” you should come anyway. Ruby is a good excuse to get together and rub elbows, it’s not an excuse to exclude interesting people or ideas.

For Posterity: Treatment for Severe Canker Sores

2007-11-14T23:31:00Z

Yeah I know, this is supposed to be a technology blog. This one’s for posterity.

I get severe canker sores. Huge. They hurt. They are no fun. It’s technically called Apthous Stomatitis . I’ll get open canker sores about the size of a dime or worse that last for several weeks. That wikipedia link and other sites enumerate many attempted treatments. Some things that work for one person just has no positive effect for another. I’ve tried most of them and none of them seem to help.

When I was growing up, baking soda applied directly to the sore would help it heal faster. It hurt like heck though. My cankers get larger nowadays and the baking soda technique just hurts like crazy and doesn’t help at all.

My contribution to posterity is to merely document a treatment I heard about which has helped me. I got this home treatment from my cousin, who is a doctor. I’m not a doctor so don’t mistake this for medial advice.

The treatment is to use a styptic stick or pencil. They’re not as common nowadays but you can still find them in drug stores. They’ll be marketed as a way to stop bleeding if you’ve nicked yourself shaving.

You run a little water over the styptic pencil and then apply it directly to the sore. It chemically cauterizes the sore. Sometimes it stings a little bit, but not terribly so. It’s nothing compared to the hurt from baking soda or salt. You will get a pretty potent taste of citrus.

So, if you are one of the unfortunate sufferers of recurrent severe cankers and nothings seems to work, using a styptic pencil might be worth a try.

Evidently I'm famous

2007-11-13T00:03:37Z

I know I’m not like some people who get 600 hits in one day from Reddit . I’ve been told that the true measure of “getting on the map” is when spammers take notice of you. They’ve noticed my blog, probably due to my incredibly massive readership. I thought I had my blog settings to moderate comments, but I was mistaken. Sorry if any of you were exposed to some of those terrible comments over the last couple of days.

My current blogging engine is Mephisto which has built-in support for Akismet . So far Akismet has taken care of the problem. I’m getting several hundred spam comments everyday, but none are getting through. None of the comments were particularly clever, but the volume is just no fun to keep track of by hand.

My university has a content filter (Dan’s Guardian) which uses blacklists as well as phrase weighting. I hadn’t thought about it before, but one drawback of using filters on the content is that when I went to remove spam comments, the comments triggered the content filter and kept me out of my own blog when I was trying to delete those very comments. Fortunately a semester ago they allowed a bypass that logged your action and let you through. Without that safety hatch I wouldn’t have been able to rectify the situation.

Can you Email me that?

2007-11-12T18:56:29Z

I was on the phone with my Mom and she had a document she wanted to send me.

<dl>

Devlin:

Mom, you’ve got a scanner. You can email it to me.

Mom :

Laughing It would be easier for me to send it in the mail!

</dl>

She’s telling the truth. Yes my mom is a very competent computer user. It’s just not easy enough. It’s not just her, it’s me too. The number of programs and such that you’ve got to get to work together is too many. The single button touch thingeroos on new all-in-ones don’t cut it. The software to listen for the scanner’s “convenience buttons” gum up the whole works, they consume insane amounts of memory and don’t ever seem to work right anyway.

It’s a sad reflection on the state of usability in software when the postal system, the POSTAL SYSTEM of all things is easier to use.