Monday, May 23, 2005 - Posts
So ALL of my friends (yup, all one of them) that have an online presence or care to read these ugly ramblings have asked the same question: JJBResearch? And .org? What’s up with that scalper?
For the record, JJB Research is not:
- Ju-Ju Bean Research
- Jar Jar Binks Research
Other comments had included why do a .org instead of a .com? I can honestly say that jjbresearch.org and jjbr.org both represent what they intend to represent: An organization that does research. JJB is significant; it’s just not ATB .
Wow. By reading this piece, I have either gained your trust, or you are ready to dial the insane asylum and report a guy writing some insane stuff. I'll assume the former.
So in the study of GP and EC (by now you know the links), it is critical to have discipline in what transpires in the modeling and experimentation environments. I've mentioned characterization in the past as an important step in the modeling of a GP. These terms will help to formalize what to expect of a model in hypotheses testing. Let's review:
- Epidemiology - The study of epidemics in humans.
- Epistemology - The study of philosophy dealing in the scope and origin of knowledge. This study also also deals with the nature of knowledge.
- Embryology - The study of the origins of a lifeform and its early stage growth.
- Etiology - The study of cause. This is typically used in medicine to describe the reasons for some occurrence of a disease or other anomaly.
Thanks for stopping by. Did you need that phone number to report me? Why on Earth is this stuff so important if I'm going to study GP or EC?
The notion of generation (GP) and the notion of framing (EC) are critical in these disciplines. I must have a context for discussion of the growth of populations and their organisms in GP. By observing the studies of epidemiology and embryology, I can acquire some of the disciplines and practices that may be useful in GP. By becoming a student of Epistemology and by recognizing Etiology as a discipline, I create a framework for the observations in framing in EC and generations in GP.
Ask the questions, what do I represent in GP in the genotype? How does the phenotype respond? In an EC, what must be provided to an experiment to allow for OEE and OEB (see here)?
Become familiar with these terms. Do some reading or research to round out your background. These simple perspectives will provide invaluable insights.
In an earlier comment, I mentioned that I believe that language and linguistics will have to take center stage in computing at some point (or something to that effect).
Prescriptive and Descriptive Grammars are important concepts in linguistics. They actually have applicability to computation. Let's start with a practical approach of the two adjectives (in noun form):
- Prescription - Prescription is the establishment of the rules or norms of a language.
- Description - Description is the usage of the language in practice, i.e. by describing the language.
So far so good. I'm not looking too crazy here (yet).
- Prescriptive Grammar - The prescription of grammar to formalize language.
- Descriptive Grammar - The description of grammar to practice language.
On a regular basis, my brother-in-law claims that "doh" is a word, claiming its source as Homer Simpson in the TV show The Simpsons. My typical reply is "Who's Homer Simpson?"
"doh" as a word in prescriptive grammar would likely not exist as it is not really a word, i.e. it hasn't met some test for intelligence, rationality, conformity or otherwise. "doh" in descriptive grammar allows that it is in fact a word and that it states what it intends to state, i.e. it does not need a test for intelligence or otherwise.
Another example would be as follows: "That house across the street is dark blue." is a statement using prescriptive grammar. "A house on this street is dark blue." is a statement using descriptive grammar. Those familiar with First Order Logic would immediately observe that the first statement uses a universal quantifier while the second statement uses an existential quantifier. Set theory would observe that the first statement contains a reference to a finite set that contains one element whereas statement two contains a reference to a finite set whose cardinal number is unknown. It looks like some needed unification is in order across some of these disciplines (and I am not the one to do this).
Programming languages use prescriptive grammars. They use formalized structure. There are tests for whether there is intelligence (I've seen some garbage, as have many of you I'm sure), rationality (again, hmmmm), appropriateness and other criteria to be met. Most programming languages use perfect aspect, with definite articles and proper nouns (although the language may only allow for certain morphemes).
Normally in this context, I would include a discussion of generative grammars, but I'll hold that in abeyance.
I'm just trying to decide if I can construct a prescriptive realism in which my brother-in-law doesn't exist . . .
In the study of Emergent Computation, there are two concepts: The OEE and OEB. Let's look at the qualitative aspect of these two.
Observable Emergent Event (OEE): In an EC experiment, an observable emergent event is something that occurs at a point in time. The temporal aspect may be significant or insignificant for the experiment.
Observable Emergent Behavior (OEB): In an EC experiment, observable emergent behavior is something that occurs that cannot be described (loosely) by the rules of the environment or the agents or any other first-class collateral of the experment.
Ok, let's try that in English. Here are some easy examples:
If I play one of these multiplayer games with many game characters on the internet or at home, e.g. Rome Total War, Age of Empires or other games, I'm watching a (very) simple form of EC. If in these games I witness two armies engage in a big battle, I witness an OEE (event). If I witness units in the battlefield that attempt to stand in formation and because of obstacles or space constraints or other criteria are unable to construct the formation, the observable formation is an OEB (behavior).
Another example is the use of the internet. At lunch time in each time zone across the country, every worker in America with a computer and free time manages to start a session of surfing, googling, IM or other internet activity. The observable event is internet routers overload at some time point (OEE). The activity and the time of engagement of each activity by each user is still independent. That I can observe this pattern over a four hour period (one lunch hour for each time zone) is an example of OEB.
So far, the concepts of OEE and OEB can be defined qualitatively. They are usually defined this way. Let's see if we can't give them some quantitative measure. Rather than doing a formal EC approach, let look at the pertinent highlights. Please do not use this as a reference, but rather as a simple example. The disciplines of EC require much more scrutiny than the following treatment allows.
How 'bout them honey monkeys. These agents move around in the web world attempting to discover sites that phish. There are a few other groups that go around performing this activity. It is a socially responsible activity. Can we measure their effectiveness? (NOTE: In theory of computation work, the answer is no; this is an NP-COMPLETE problem and may actually move into other complexity classes)
If I could view the whole internet (as a snapshot), what would I observe? I would observe nodes (computers), edges (communications through wires, wireless, optical, etc), agents (people using computers) and collateral (programs and data on computers, messages in communications). These are all observable facts.
Now lets identify a few agents:
- User - someone using a computer.
- Spyware Author - someone using a computer for (nonexclusively) constructing spyware.
- Spyware Distributor - a computer on the internet that is visited through communications and whose intent, primary or otherwise, is to distribute spyware. Let's not address motivation of this agent at this point.
- Disinfection Identifier - someone using a computer for (nonexclusively) finding spyware.
- Disinfection Author - someone using a computer for (nonexclusively) the construction of programs to combat or remove spyware.
- Disinfection Distributor - someone using a computer for (usually exclusively) the distribution of disinfection programs.
Collateral in use:
- Spyware - a program capable of some unintentional behavior, such as the collection of user information. Spyware when deployed performs its given activity, usually without notification to the user. Again, let's remain generic on its purpose and motivation.
- Disinfection - a program capable of removing spyware on a given node.
- Software Tools - Programs to allow for the development of spyware and disinfection.
If I start a clock and allow each interval of time to pass with an atomic (or primitive) action by each of the agents, what can I observe in emergence? Over time, I can observe that the disinfection rate may keep the total population of infected machines to some threshold, perhaps 5% of the total number of machinesfor a period of time (OEB). I may also see a complete saturation of all computers with a 100% infection rate, i.e. every computer has at least one piece of spyware (OEE). There are other possible events and behaviors to observe.
While there is a hierarchy of EC observable facts with OEE and OEB as the lowest class facts, the OEE and the OEB provide for basic useful information in Emergent Computation.
Since my current consulting engagement has me a stone's throw away from the lower cased one, we have lunch on a fairly regular basis and the topics are all over the map. His footprint is not the same as mine, but his diversity is amazing. He's been a speech MVP, a compact framework MVP and now a Web Services MVP. Don't sit still, man.
So his last work was some stuff on the Pocket PC and NASA World Wind. He's now onto some coolness with Windows Media Center Edition (MCE).
So at lunch last Thursday, as he tells me of the MCE interface and its extensibility and the coolness that is casey in what he is doing, it occurs to me what Windows MCE appears to be: An invitation to phish. Before we start, let me state my disclaimer: I'm not a qualifed security professional or analyst by any measure. I am not a party with malicious intent. My objective is to raise awareness. The quality of software and the quality of security in use in software improves with awareness. My perspective is that the MCE appears weak and may need to be hardened. In fact, I'm focused on many other activities (and others) at the moment and will admit that I have not attempted to determine if these are viable, hence my use of the term opportunities in the title. I've been having a few ethics debates (with myself) about this as well.
Perhaps its much ado about nothing. Let's review.
I hate to keep cross referencing schneier lest he think that I'm a trying to up my juice, but I find him once again on point (and always many steps ahead) with topics that keep hitting my radar. This post refers to an excellent exposition by these guys. As I have not posted on Social Engineering, phishing and related topics, I'll defer to these links.
So back to Windows MCE and the opportunity. The MCE UI is enlarged and dumbed-down (in a good way) so that the user can sit comfortably on their couch, view the interface on a large television and make their choices using a remote control. The entire front end for MCE is a windows application, apparently written in .Net. For clarity, lets refer to this as the extender. The extender allows for application extensions written either in .Net or HTML. The extender allows for the installation of a "Hosted HTML Application" and exposes an IE browser container (mshtml2) allowing for applications written in DHTML (active content). The extender also allows for the installation of a ".Net Add-In", i.e. an assembly written in .Net to be bound into the same process space as the extender to provide functionality.
To make certain that the user experience is wonderful (and it is a beautiful interface , kudos to the MCE team for this), the UI exposes no standard address bars, no privacy/cookie status and no security status (SSL or otherwise). Additionally, there are premium services just a click away. Just select the service that you'd like and away you go. From the comfort of their couch, users can navigate to content using an interface that provides no indication of the security context.
So if I look at the potential targets, people willing to spend $5000 or more on a TV, spend $50 or more per month on subscription based services and are likely not aware of these type of security risks, they are perfect targets. I speculate that Microsoft has a small number of seats of the MCE product deployed, currently estimated at 1.4 million, (a relatively small number compared to the number of seats of Windows XP Professional or Home), so the opportunity for revenue for parties that perpetrate fraud in the form of phishing or pharming may appear small.
Threats (without threat model classification)
This guy has a link to threat modeling here, Microsoft style (translated: If you are a developer on Microsoft platforms, pay attention to this guy and his team). I present threats for the MCE here purposely without appropriate threat model classification:
Hosted HTML application - DHTML software has long been known for its abilities to run "active script" on the client. MCE supports application installations of DHTML.
No security constraint on the wire - It would appear that anyone can write applications for the MCE extender and distribute them. There appear to be no specifications on the level of security required for any outbound or inbound HTTP (or other tcp/udp) communications in an MCE application. This includes intended usage of communications channels by legitimate content providers as well as malicious usage of communications by anonymous parties.
.Net add-in snooping - The .Net add-ins appear to run in the same process space. I haven't seen any specifications on isolation that prohibits the abuse of the MCE user's personal information, i.e. any MCE credentials or personal information in the MCE extender process, from a malicious add-in (more on this below).
Initial address heist - It appears that the extender uses a centralalized point (an URL) for initialization of the user presentation. It is not clear what protections are on this information. This must be considered a first-class entry point for a phishing or pharming attack again in the presence of an interface that provides no indication of the security context.
Perspectives on Security
A search in the MCE SDK documentation for the word security yields 18 results. A few of the entries are interesting:
There is an actual entry titled "Avoiding Internet Explorer Security Dialog Boxes". Apparently, according to the documentation, "Because these dialog boxes cause unnecessary concern and are difficult to read on a TV screen, they can create an unpleasant experience for the user".
For authors of Media Center Applications there is a page titled "Reviewing your Media Center Application". It states "If the user will need to log in to use your application, does your application provide a secure way to persist the user name or password (or both) on an opt-in basis? (Any kind of typing is burdensome with a remote control, and most users are comfortable with the level of physical security they have provided for their computers at home.)".
In the section entitled "Handling the Limited Access Rights of a Media Center Extender Session", we find the quote "To deliver the optimum level of security, a Media Center Extender session runs in the context of a limited user account. This account is created during the Media Center Extender installation process. It is hidden from the user and cannot be used outside of a Media Center Extender session." This is a practical approach and I believe that this policy is useful for many different threats. But the issue is the location of the credentials of the MCE user. The MCE extender has access to transport those credentials to receive content, i.e. it has read access to that information. The ability to create add-ins and Hosted HTML applications in the same process space provides an opportunity for snooping in the current process. If the credentials are available in any way and there is no Code Access Security (CAS), i.e. the partitioning of security context for items in the runtime environment, the credentials are at risk for snooping. A search for "code access" (with double quotes around the two words) yields "No topics available." NOTE to MCE team: If CAS is there, advertise this fact.
Conclusion: I am not trying to be an alarmist with these issues. With respect (and admiration) for the Security and MCE teams at Microsoft and the issues they face, this just doesn't look right to me.
Copyright (c), JJB Research. All Rights Reserved.