Why does Microsoft push unpatched software via Windows Update?

It is, for a change, a very good question from CNet. If you know that security vulnerabilities exist in your software, and you’ve already patched those vulnerabilities, and you have a well-documented process for slipstreaming patches into existing installs, and you have an automatic update process

… why in the hell would you have that automated update service push the unpatched software rather than fully patched versions?

The short time between install and patch isn’t a good enough reason. Even if Microsoft automatically forced a re-run of Windows Update after each update session, as Mac OS X does, history shows that it doesn’t take long for unpatched, vulnerable software to be exploited. There is relatively little cost to Microsoft to prepare fully patched downloads, and the payback is huge risk avoidance. Fix it, already, guys.

Google opens the Cloud

Google App Engine appears to be Google’s answer to Amazon’s web services—a simple, highly scalable development and deployment platform for web apps that need to scale. It’s an interesting offering that takes a slightly different tack from Amazon, with the requirement to build an app as a fully integrated stack (not to mention, the application needs to be in Python, at least for the first iteration). But I like it nonetheless, especially at the entry pricing: as Dave Winer pointed out in a prescient piece last week, web services should be free at the low-bandwidth end of things; it’s a great way to build an ecosystem. Having one player in the cloud business is an experiment. Two makes it competitive, and that means that the offerings for developers will only get better and better.

It begs the question, of course, of when Redmond will wake up and realize that the last remnants of its Old Republic are being swept away.

Congrats to Google product manager and Sloanie Tom Stocky, who seems to be at the center of a lot of good things from Google these days.

People come in waves

I’m starting to think that people on social networks, like everything else, follow predictable principles of organization. You can be in an equilibrium for months, adding very few friends to your local aggregation of people, when all of a sudden someone new shows up, and you make dozens of connections in the next few days. Punctuated equilibrium, I think, is the phenomenon that I’m describing. Or just plain old statistical mechanics.

Yeah, it’s that weird kind of night.

So the War on Liquids is the War on Tang

Normally I write about application security in this space, but occasionally I’m inspired to write about physical security as well. In this case: Remember the 2006 Heathrow incident that started the War on Liquids? The one in which people were supposed to be bringing the ingredients for a liquid bomb on a flight? Well, the Daily Mail says that they were planning to mix hydrogen peroxide with another unnamed compound, which Bruce Schneier and the Guardian name:

Tang.

That’s right. The drink that took the astronauts to the moon was supposed to blow up seven planes.

Heh. Read the thread on Schneier’s blog for information about the feasibility of this threat, and then ask yourself why we still have to carry on 4 ounce portions of liquid and taste our baby’s breast milk.

Security theatre does not equal security.

PWN 2 OWN: platform battle or bad app showdown?

The recent coverage of the PWN 2 OWN contest, in which hackers broke into a MacBook Air and a Vista laptop, has generated a little blog heat—but in a misleading way. The headline of this InfoWorld post is an example: MacBook Air is Insecure. With all due respect to Mr. Hultquist, that’s like saying that water is wet. At this point, the way to look at it is not whether a platform is secure or insecure, but rather how much effort it takes to exploit the platform.

As long as software has flaws, it opens computers up to attacks. The fact that the MacBook was hacked through a Safari vulnerability and the Vista machine through a Flash flaw, and that neither could be hacked directly from the network, says something about the manufacturer’s networking code. But more, it says that this contest is not about whether the Mac is more secure than Vista or Ubuntu, but is about the risks introduced by applications with bugs.

So for software vendors it becomes much more critical to find and fix those flaws, and for users, as Hultquist rightly points out, the right approach is to be aware that these vulnerabilities may exist and to behave accordingly.

April First roundup

Man. You can tell the Internet is getting boring when no one bothers to do April Fool’s day pranks. Except for the following:

  • Google: Virgle: The Adventure of Many Lifetimes. Answer a questionnaire and upload a YouTube video and you could be on your way to Mars!
  • Zero in a Bit: New Attack Class: XSNADOR. Because we need more acronyms to describe the process of hacking things, this one will rise alongside XSS and XBI to fill a needed void: how to describe trivial hacks against social networking sites. In fact, I would propose a new meta-name for this type of acronym: YAVA (Yet Another Vulnerability Acronym).
  • Gmail: Custom Time. Send an email to the past!
  • YouTube: Every featured link on the home page is a RickRoll!
  • Google Calendar: Free wakeup kit!

Geez, other than Google (and, um, my company), is anyone else out there celebrating the foolishness?

Update: Okay, spoke too soon. While the placement of Ima Hogg as the featured article at Wikipedia might itself be an April Fools joke, surely the rewritten lead for the article definitely qualifies: “Ima Hogg was an enterprising circus emcee who brought culture and class to Houston, Texas. A storied ostrich jockey, she once rode to Hawaii to visit the Queen. Raised in government housing, young Ima frolicked among a backyard menagerie of raccoons, possums and a bear…”

And then there’s ever-reliable TidBITS: iPhone Goes International With Iridium, Take Control of (Backdating Stock Options, Swearing in Esperanto, Spouse Sharing in Leopard…), new Twitter feed, US Court Declares Email Bankruptcy Illegal, Mac Users Affected by New Virus, Merriam-Webster Accepts Sponsorship to Redefine Unlimited, and Time Machine Support Added to iPhone and iPod Touch. Nice job, guys. That’s more like it.

Electronic text comes to family research

When my grandfather passed away in January, I made a resolution that I would do what I could to ensure that he was not forgotten and that my descendants would know about him. So I started a little project that blossomed. The Brackbill Wiki is a set of pages I set up to collect family genealogy information, primarily original documents and pointers to photos. In the process of getting the site together, I also collected a bunch of information about various family members, friends, and institutions.

The core of the site is a set of documents from my grandfather and other family members that he gave to us or that he left behind. In particular, other family members and I are in the process of transcribing four years of his journal that span from the time he graduated from the state teachers’ college to the time my mom was born. The 1939 journal has been completely transcribed and the 1940 journal is in progress. We also used the site to provide a new home for my sister’s project, “Great Aunt Eva’s Blog,” which disappeared when her old blog host shut down. Esta is in the process of bringing it back on the new site right now.

There are a bunch of cool things that have come out of the process of transcribing these journals. I’ve gained a new appreciation for my grandparents’ lives (just how did they work six days a week and go out every night to choir practices and committee meetings? I only work five and I’m exhausted when I get home), for the people they spent time with (Twiddley!), and the infrastructure in which they grew up. I’ve also gotten to know my grandfather, and his sense of humor, a little better.

What occurred to me the other day was how this project is analogous, on a humbler scale, to big digital humanities projects like the Valley of the Shadow project, in which former UVA professor Ed Ayers and a team of students indexed and digitized reams of original materials from two Civil War era communities. In this case, our scope and our team is quite a bit smaller, but thanks to the wiki technology we used the material is coming together quite a bit faster.

Note, 2017-03-29: the Brackbill Wiki has since moved to a new location.

Secrets of Wikipedia research

Also known as: How on earth did people write encyclopedias before the Internet?

I’ve been a regular editor on Wikipedia for a while now, with a pretty narrow focus on the University of Virginia and related topics. In the process, I’ve found a list of sources that have made the topic much easier, and might be helpful for other fans of the history of the University:

Note that the sources are hosted by the UVA Library, Google Books, and the Internet Archive. Without the efforts of text initiatives like these I don’t think that what is being done on Wikipedia would be possible. I don’t think that I imagined, when I was an intern applying SGML markup to out-of-copyright texts in the University’s Electronic Text Center (since incorporated into the library’s Scholars Lab), that the work would lead here.

The non-linear cost of bad software development

I ran across an interesting concept in my reading today: technical debt, and its cousin design debt. The concept is basically the application of the Second Law of Thermodynamics to software development. As you develop software, you affect the entropy of the code. Feature development typically increases entropy, while refactoring and explicit design activities decrease entropy.

Why do we care about entropy in software code? Code with high entropy is harder to maintain, harder to fix bugs in, and harder to add features to. It basically increases the cost and time to get new releases of the software out.

The concept of design debt argues that this kind of entropy is additive across releases, and that each time you perform entropy positive actions you increase the amount of work needed to dig out and make the code maintainable again.

I’ve lived this, for sure, and I suspect most others have too. But what makes it really interesting is thinking about it dynamically, where it is made clear that design debt decreases the profitability of a project. I think it’s even worse than it appears in the diagram, because the diagram neglects the time dimension. As the cost of development increases, more than likely the time to develop also increases—which means that Domain Evolution proceeds even farther while you are trying to catch up. This means that you have to increase the number of features even more, but that incurs a higher design debt still. It’s an unpleasant positive feedback loop.

Design mistakes cost

I’ve stopped reading Jakob Nielsen on a regular basis, so I missed this: Top-10 Application-Design Mistakes. As it turns out, this is one of the few of Jakob’s Alertboxes that I agree with more than disagree with. Iterative design, paper prototypes, decide what your app should do, beware nonstandard GUI controls, design for the user rather than the back-end system, etc.

Number two particularly amuses me. I was on a business trip with someone who was bitten, hard, by this bug (on a different travel site). His boss booked his travel, and didn’t pay attention to the fact that the position of the months on the calendar changed between the Start and End date fields. Worse, the travel was in February in a non-leap year, so there wasn’t even a difference in date numbers to clue him in (since the Wednesday in March was exactly 28 days after the Wednesday in April). Result? A very long delay for our friend at McCarran Airport in Las Vegas trying to straighten the problem out, so that my friend could get back 30 days earlier than his ticket specified.

Usability mistakes cost.

Getting ready for the big one

The big concert, that is, or concerts to be more precise. The last Tanglewood Festival Chorus concert series of the Symphony Hall part of our season is coming up, and it’s big: Hector Berlioz’s two part opera, Les Troyens. Everything about it is big: five acts divided into two nights, big chorus, big orchestra, big writing.

The background on the opera’s composition makes for some interesting reading, a classic battle between artist and public. Berlioz wrote what he felt to be a magnum opus, only to have it whittled down by the only opera house willing to perform it. Of the audiences who came to see the opera, he remarked glumly, “Yes, they are coming, but I am going.”

We’ve had a pair of rehearsals, and all I can say is that so much tonality, after the astringent aesthetic of the Bolcom, feels kind of sinful. Should be a fun run.

Opening Day, very early in the morning

New York Times: Red Sox Top A’s, 6-5, in Tokyo Opener. For the curious, no, I did not get out of bed at 5:30 to watch the opener. I did, however, tune into the game on AM radio—something I haven’t ever used on my car before—on the way in to work, to hear that the As were up in the seventh inning.

Yes indeed: daytime temps nearing 50, the Red Sox are back in action, and it’s still light when I drive home from work. Must be spring.

Ham and mushrooms, butter and garlic

It’s been a while since I wrote a food-oriented post—and of course a holiday weekend is just the thing to trigger one. Lisa’s parents were here this weekend, so our relatively freewheeling Easter dinner that we have honed over the past few years got expanded a little stylistically while reining in a few of the more eccentric ingredients.

The menu: deviled eggs for hors d’oeuvres; glazed ham; mashed potatoes; asparagus; and mushrooms. The deviled eggs were the most restrained compared to past years, where I used wasabi in place of the horseradish my parents always used to perk things up. Instead of wasabi, I just used hot sauce, slightly increased the salt for flavor, and diced up some shallot very fine to mix into the filling. The eggs were superb: eminently edible but leaving one still hungry—and thirsty. As is also traditional at Easter, I accompanied mine with a small amount of bourbon over ice as I was cooking. This year it was Blanton’s, a serendipitous find that I was delighted to have in my liquor cabinet. No juleps this year, though; for one thing, at 30-something degrees, it was too damned cold out to have them or want them.

The potatoes were simple too—half and half and butter in the place of the chicken broth and buttermilk that I’ve used in the past to give them flavor, and I thought the potatoes were bland as a result. But! They were a perfect foil to the mushrooms (sliced, cooked in olive oil and butter with more diced shallot and two cloves of garlic, and then finished covered in the pan), which were a hit. The garlic was definitely the thing. Alas the asparagus! cooked much too long.

The ham was tasty, but—and here regional prejudices rear their head—I do wish I could have found a proper ham. And by proper, I mean country ham, dry-aged, the kind that comes in a burlap bag and tastes a little like a salt lick and a little like a smoky prosciutto. That’s the ham I had a lot of growing up, both at home and at church, where ham biscuits were the order of the day after a sunrise service. But this ham—a spiral sliced ham with a brown sugar and orange juice glaze, was pretty good in its own way—just not quite the way my mouth remembered it.

After dinner, of course, the requisite ham biscuits. Mine reflected my inner culinary struggle, with mustard on top and butter on the bottom. Yes! Butter with ham. And if you think it’s insane, ask the street vendors in Provence selling jambon cru sandwiches with thick local butter about it, and then come back and tell me I was right. Of course it‘s not the Provençal coming out in me so much as the Pennsylvania Dutch grandmother, but oh well.

Others had clam chowder with dinner—Legal’s, sold prepackaged, and it occurred to me how much easy access to the greatest ambrosia breeds contempt. Watching the others eat it made me think about the Bull Island clam chowder I grew up with, cooked with a clear broth, not milk, and certainly not with tomato.

Program to live vs. live to program: early hacker critique

Happy Good Friday! In honor of the day when history turned upside down, here’s a keen little insight from the late Joseph Weizenbaum (via helmintholog, via Scott Rosenberg): some programmers are compulsive programmers who, in taking a purely software-centric approach to solving problems, set themselves up for failure and take the organizations in which they work hostage. Weizenbaum cites some nifty examples of this, such as the programmer who can’t be bothered to write documentation for his mission critical hacks.

Weizenbaum goes on to cast this critique of hacker culture—the concept that everything can be explained by the computer, and that no external skills are needed—in the context of scientism, the belief that science alone, without external belief systems or other human considerations, is sufficient to explain everything about the world around us.

I may have to go and dig up a copy of the book. It sounds like a thought provoking read along the lines of Winner’s The Whale and the Reactor.