Proper Use of English Could Get a Virus Past Security
New Scientist (11/27/09) Blincoe, Robert
Johns Hopkins University security researcher Josh Mason says hackers could potentially evade most existing antivirus programs by hiding malicious code within ordinary text. Mason and colleagues have discovered how to hide malware within English-language sentences. Mason developed a way to search a large set of English text for combinations of words that could be used in malicious code. This potential weakness has been recognized in the past, but many computer security experts believed that the rules of English word and sentence construction would make executing an attack through the English language impossible. Machine code requires the use of character combinations not usually seen in plain text, such as strings of mostly capital letters. University College London security researcher Nicolas Courtis says malicious code hidden in plain language would be "very hard if not impossible to detect reliably." Mason and colleagues presented their research at the recent ACM Conference on Computer and Communications Security, but were careful to omit some of their methodology to avoid helping potential hackers. "I'd be astounded if anyone is using this method maliciously in the real world, due to the amount of engineering it took to pull off," Mason says.
Friday, November 27, 2009
Blog: Proper Use of English Could Get a Virus Past Security
Tuesday, November 24, 2009
Blog: New Standard Lets Browsers Get a Grip on Files
New Standard Lets Browsers Get a Grip on Files
CNet (11/24/09) Shankland, Stephen
The World Wide Web Consortium has published File API, an interface draft that Web browsers can use to better manipulate files and is part of a larger effort to provide a better foundation for interactive applications. File API defines ways browsers and Web sites can improve how they handle files, including selecting multiple files for upload, such as on photo-sharing sites or Web-based email. Other improvements govern the use of "blobs," or packages of raw binary data such as video files. Google has supported blobs for its Gears browser plug-in as a way to separate large videos into smaller pieces so uploads can be more easily resumed if a network problem interrupts the process. A major benefit is that files are handled asynchronously, meaning the browser will not freeze while a file is being uploaded or managed, and the browser reports back on the progress of file transfers. The interface is compatible with several standards, including the drag-and-drop support in HTML5, currently in development, and the Web Workers technology that improves the way browsers perform numerous operations simultaneously. The interface also can help Web applications process and understand the contents of files. For example, the interface could allow for Web applications that automatically search through a music playlist and find the lyrics to the songs on that playlist.
Monday, November 16, 2009
Blog: How Secure Is Cloud Computing?
How Secure Is Cloud Computing?
Technology Review (11/16/09) Talbot, David
The recent ACM Cloud Computing Security Workshop, which took place Nov. 13 in Chicago, was the first event devoted specifically to the security of cloud computing systems. Speaker Whitfield Diffie, a visiting professor at Royal Holloway, University of London, says that although cryptography solutions for cloud computing are still far-off, much can be done in the short term to help make cloud computing more secure. "The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn't apply if we were flying our own planes," Diffie says. "On the other hand, it is so much more economical that we don't realistically have any alternative." He says current cloud computing techniques negate any economic benefit that would be gained by outsourcing computing tasks. Diffie says a practical near-term solution will require an overall improvement in computer security, including cloud computing providers choosing more secure operating systems and maintaining a careful configuration on the systems. Security-conscious computing services providers would have to provision each user with their own processors, caches, and memory at any given moment, and would clean systems between users, including reloading the operating system and zeroing all memory.
Blog: Supercomputers With 100 Million Cores Coming By 2018
Supercomputers With 100 Million Cores Coming By 2018
Computerworld (11/16/09) Thibodeau, Patrick
A key topic at this week's SC09 supercomputing conference, which takes place Nov. 14-20 in Portland, Ore., is how to reach the exascale plateau in supercomputing performance. "There are serious exascale-class problems that just cannot be solved in any reasonable amount of time with the computers that we have today," says Oak Ridge Leadership Computing Facility project director Buddy Bland. Today's supercomputers are still well short of exascale performance. The world's fastest system, Oak Ridge National Laboratory's Jaguar, reaches a peak performance of 2.3 petaflops. Bland says the U.S. Department of Energy (DOE) is holding workshops on building a system 1,000 times more powerful. The DOE, which is responsible for funding many of the world's fastest systems, wants two machines to reach approximately 10 petaflops by 2011 to 2013, says Bland. However, the next major milestone currently receiving the most attention is the exaflop, or a million trillion calculations per second. Exaflop computing is expected to be achieved around 2018, according to predictions largely based on Moore's Law. However, problems involved in reaching exaflop computing are far more complicated than advancements in chips. For example, Jaguar uses 7 megawatts of power, but an exascale system that uses CPU processing cores alone could take 2 gigawatts, says IBM's Dave Turek. "That's roughly the size of medium-sized nuclear power plant," he says. "That's an untenable proposition for the future." Finding a way to reduce power consumption is key to developing an exascale computer. Turek says future systems also will have to use less memory per core and will require greater memory bandwidth.
Thursday, November 12, 2009
Blog: Intel Says Shape-Shifting Robots Closer to Reality
Intel Says Shape-Shifting Robots Closer to Reality
Computerworld (11/12/09) Gaudin, Sharon
Researchers at Intel and Carnegie Mellon University (CMU) say distributed computing and robotics could be used to make shape-shifting electronics a reality in the not-too-distant future. The researchers are working to take millions of millimeter-sized robots and enable them to use software and electromagnetic forces to change into a variety of shapes and sizes. CMU professor Seth Goldstein and Intel researcher Jason Campbell recently reported that they are able to demonstrate the physics needed to create programmable matter. "It's been pretty hard but we've made a lot of progress," Campbell says. "Optimistically, we could see this in three to five years." Programmable matter is called claytronics, and the millimeter-sized robots are called catoms. Each catom would contain its own processor, and would essentially be a tiny robot or computer with computational power, memory, and the ability to store and share power. The goal is to program millions of catoms to work together by developing software that focuses on a pattern or overall movement of the entire system of tiny robots. Each robot will be smart enough to detect its own place in the pattern and respond accordingly. Part of the research effort involves developing new programming languages, algorithms, and debugging tools to get these systems to work together.
Wednesday, November 11, 2009
Blog: CIO Blast From the Past: 40 Years of Multics, 1969-2009
CIO Blast From the Past: 40 Years of Multics, 1969-2009
CIO Australia (11/11/09) Gedda, Rodney
Four decades ago, Multiplexed Information and Computing Service (Multics), widely considered the basis of contemporary time-sharing systems, was first employed for information management at the Massachusetts Institute of Technology (MIT). MIT professor and ACM 1990 A.M. Turing Award winner Fernando J. Corbato led MIT's Multics project. He says the implementation of Multics was driven by the need for "a higher-level language to program the bulk of the system to amplify the effectiveness of each programmer." Corbato says that "Multics was designed to be a general-purpose, time-sharing system so the focus was less on the novelty of the applications and more on the ease of developing and building applications and systems." He counts the Unix programming language to be Multics' most significant legacy, noting that both Multics and Unix exploited their hardware effectively. Among the features used in modern computing that Corbato lists as being first developed or thought up with Multics are hierarchical file systems, file access controls, and dynamic linking on demand. "The real legacy of Multics was the education and inculcation of system engineering principles in over 1,400 people directly associated with operating, maintaining, extending, and managing the system during its lifetime," he says. "Because we made documentation and publications a mainstay of the project, countless others have also been influenced."
Tuesday, November 10, 2009
Blog: Google Launches New Programming Language: Go
Google Launches New Programming Language: Go
eWeek (11/10/09) Taft, Daryl K.
Google has unveiled Go, a new programming language the company says offers the speed of working in a dynamic language such as Python and the performance and safety of a compiled language such as C or C++. "Go is a great language for systems programming with support for multi-processing, a fresh and lightweight take on object-oriented design, plus some cool features like true closures and reflection," according to the Google Go team in a blog post. However, Google is not using the experimental language internally for production systems. Instead, Google is conducting experiments with Go as a candidate server environment. "The Go project was conceived to make it easier to write the kind of servers and other software Google uses internally, but the implementation isn't quite mature enough yet for large-scale production use," according to the FAQ on the Go language's Web site. With Go, developers should find builds to be spontaneous. Large binaries will compile in just a few seconds, and the code will run close to the speed of C. Go is the second programming environment Google has released this fall. In September, Google released Noop, a Java-like programming language.
Blog: Inventing Language; comments by 2008 Turing Award winner Barbara Liskov
Inventing Language
MIT News (11/10/09) Hardesty, Larry
Massachusetts Institute of Technology (MIT) professor Barbara Liskov, winner of ACM's 2008 A.M. Turing Award, recently delivered the first lecture of MIT's 2009 Dertouzos Lecture Series. Liskov, who received the Turing Award in part for the work she did in the 1970s establishing the principles for the organization of programming languages, began her talk by describing the environment in which she performed her pioneering work. Liskov explained that in the fall of 1972, after reviewing the literature in the field, she developed the idea for what is known now as abstract data types. After developing that idea, Liskov says she and some collaborators created a programming language, CLU, which put most of her ideas into practice. The remainder of Liskov's lecture focused on a demonstration that CLU prefigured many of the ideas common in modern programming languages, such as polymorphism, type hierarchy, and exception handling. During a question and answer session, Liskov said the secret to her success was not working that many hours a day, going home at night, and not working in the evening. "I always found that downtime to be really useful," she said. Liskov also stressed the importance of working on interesting research, instead of research that is most likely to get published.
Monday, November 9, 2009
Blog: Web Security Tool Copies Apps' Moves; "Ripley," developed by Microsoft Research
Web Security Tool Copies Apps' Moves
Technology Review (11/09/09) Mims, Christopher
Microsoft researchers have developed Ripley, a way to secure Web applications by cloning the user's browser and running the application remotely. Ripley, announced at ACM's Computer and Communications Security Conference, which takes place Nov. 9-13 in Chicago, prevents a remote hacker or malicious user from changing the behavior of code running inside a Web browser by creating an exact copy of the computational environment and running that copy on the server. Ripley also relays all of the user's actions, including mouse clicks, keystrokes, and other inputs, from the client to the server as a compressed event stream. The behavior of the clone code is compared to the behavior of the application running on the user's browser. If any discrepancies occur, Ripley disconnects the client. "You cannot trust anything that happens in the client," says Ripley lead developer Ben Livshits. "It's basically the devil in the browser from the developer's point of view." Livshits says Ripley is completely invisible to the end user and will not affect the normal function of a Web application. Ripley can even enhance the performance of Web applications, because the clone program is written in .Net, which is 10 to 100 times faster than the JavaScript used on the client side. University of California, Berkeley researcher Adam Barth says Ripley is part of a larger trend to protect the integrity of client-side programs. "The work suggests that security would benefit if we validated more than we're validating today," Barth says.
Blog: What Computer Science Can Teach Economics
What Computer Science Can Teach Economics
MIT News (11/09/09) Hardesty, Larry
Professor Constantinos Daskalakis in the Massachusetts Institute of Technology's Computer Science and Artificial Intelligence Laboratory is applying the theory of computational complexity to game theory. He argues that some common game-theoretical problems are so challenging that solving them would take the lifetime of the universe, and thus they fail to accurately represent what occurs in the real world. In game theory a "game" represents any mathematical model that associates different player strategies with different results. Daskalakis' doctoral thesis disputes the assumption that finding the Nash equilibrium for every game will allow the system's behavior to be accurately modeled. In the case of economics, the system being modeled is the market. Daskalakis' thesis illustrates that for some games, the Nash equilibrium is so difficult to calculate that all the world's computing resources could never find it in the universe's lifetime. In the real world, market rivals tend to calculate the strategies that will maximize their own outcomes given the current state of play, rather than work out the Nash equilibria for their specific games and then adopt the resulting tactics. However, if one player changes strategies, the other players will change strategies in response, driving the first player to shift strategies again, and so on until the feedback pathways eventually converge toward equilibrium. Daskalakis contends that feedback will not find the equilibrium faster than computers could calculate it.
Tuesday, November 3, 2009
Blog: Is AES Encryption Crackable?
Is AES Encryption Crackable?
TechNewsWorld (11/03/09) Germain, Jack M.
The Advanced Encryption Standard (AES) system was long believed to be invulnerable to attack, but a group of researchers recently demonstrated that there may be an inherent flaw in AES, at least theoretically. The study was conducted by the University of Luxembourg's Alex Biryukov and Dmitry Khovratovich, France's Orr Dunkelman, Hebrew University's Nathan Keller, and the Weizmann Institute's Adi Shamir. In their report, "Key Recovery Attacks of Practical Complexity on AES Variants With Up to 10 Rounds," the researchers challenged the structural integrity of the AES protocol. The researchers suggest that AES may not be invulnerable and raise the question of how far is AES from becoming insecure. "The findings discussed in [in the report] are academic in nature and do not threaten the security of systems today," says AppRiver's Fred Touchette. "But because most people depend on the encryption standard to keep sensitive information secure, the findings are nonetheless significant." AirPatrol CEO Ozzie Diaz believes that wireless systems will be the most vulnerable because many investments in network media are wireless, and there is no physical barrier to entry. Diaz says that exposing the vulnerability of the AES system could lead to innovations for filling those gaps. Touchette says that AES cryptography is not broken, and notes that the latest attack techniques on AES-192 and AES-256 are impractical outside of a theoretical setting.
Monday, November 2, 2009
Blog: First Test for Election Cryptography
First Test for Election Cryptography
Technology Review (11/02/09) Naone, Erica
An election in Tacoma Park, Md., held this November will be the first to use Scantegrity, a new vote-counting system that uses cryptography to ensure that votes are cast and recorded accurately. Scantegrity's inventors say the system could eliminate the need for recounts and provide better assurance that an election was conducted properly. Scantegrity allows voters to check online to ensure their votes were counted correctly, and officials and independent auditors can check to make sure ballots were tallied properly without seeing how an individual voted. Scantegrity developer David Chaum says the system uses a familiar paper ballot, which requires that voters fill in the bubble next to the name of their preferred candidate. The ballot is then fed into a machine that scans it and secretly records the result. The difference from other systems is that a special type of ink and pen are used, and when the voter fills in a bubble on the ballot a previously invisible secret code appears. The voter can record the code or codes and check them online later. If the code appears in the online database, the ballot was counted correctly. Every ballot has its own randomly assigned codes, which prevents the process from revealing which candidates a voter selected. Auditors can ensure all votes were counted correctly by comparing a list of codes corresponding to votes and a list of the results. University of Maryland, Baltimore County professor Alan Sherman says Scantegrity is fundamentally better than other systems in regards to integrity, and makes it possible to audit elections with much greater accuracy and certainty.