cat slave diary

Month: November 2007

  • Australia has a new government! Yay for democracy!

    The old guard has been thrown out. In true Australian style, if you stick it to the battler, attacking and destroying the very fundament of Australian society – “a fair go”, you’re out. And the Australian people have spoken, and it looks like soon to be ex-PM John Howard may even lose his seat. It couldn’t happen to a nicer person so out of touch with the modern day reality. The 1950’s were a long time ago, and we needed a modern government for these last twelve years, not someone who denied climate change despite a 9 year drought right in front of our very eyes. We needed someone who does not think that economic growth is more important than society itself. The Montgomery Burns world view simply does not work.

    Good luck to Kevin Rudd. It’ll be awesome to have a Prime Minister who can speak two languages for once. As an ex-diplomat, I wonder if he has the cojones necessary to stand up to the Unions so it doesn’t go too far the other way. Whitlam lost that battle, and that was a worse disaster than even Howard, even though his heart was in the right place and most of his policies (free tertiary education for all, free health care for all) made him one of Australia’s best Prime Ministers, and a legacy that to this day is unsurpassed in Australian history.

    I only wish I wasn’t disenfranchised at the moment by being in the USA. I missed out voting entirely as we’re now off the electoral roll. In the future, I can’t say to my daughter that I had a hand in getting rid of one of Australia’s worst ever governments, one which let power go to its head and conduct ideology experiments on an unwilling public. Oh well.

    Let’s hope that if Rudd gets power in both houses, or at least Greens as the balance of power, the same thing that happened to Howard’s government doesn’t happen to the Labor party.

  • Two new OWASP Board members

    As it’s nearly time for Tanya and I to welcome our first (and probably only) child into this world, it’s time to simplify my life. To that end, I am no longer on the OWASP Board, and OWASP has selected two new board members: Tom Brennan and Sebastian Deleersnyder.  This takes effect pretty much immediately. 

    This is a great fit for OWASP – two very active community members, and widens the Board membership to another member from the EU as well as the leader of the busiest OWASP chapter of them all.  

    Over the next few weeks, I’m probably going to simplify my life even further as I have no idea how much time (or little) I will have for out of hours pursuits. 

    Anyway, I welcome Tom and Seba to the Board, where I am sure they will do great things for OWASP.  

  • Let’s talk mainframes for a bit. Part 1: Background and AuthC

    In larger organizations, the back end of a web application is a mainframe. The mainframe is the final frontier of application security:

    1. Uses a platform few if any in the application security industry know about
    2. Those who do know mainframe security rarely interact with the outside
    3. IBM trains young devs in how to program COBOL, RPG, or PL/1 for its large institutional clients, but they rarely – if ever – get taught the fundamentals of security, risk management, or even the basic security features of their platform and language
    4. Most of the security features of the mainframe’s core languages simply don’t exist. For example, standard COBOL does not support SHA512. It has to call out to do that.

    This is a shame as the mainframe is actually a damn fine security platform:

    • One authC/authZ framework to rule them all. And it’s actually pretty good.
    • A transactional model which is inherently thread safe
    • Mandatory access control to data if you desire 
    • Logical partitioning of hardware and resources in water tight sandboxes that Dinis Cruz wishes was in .NET 🙂 (sorry, Dinis, couldn’t resist)
    • All modern IBM mainframes come with a hardware security module (HSM, a crypto card which can store keys and do safe crypto processing)
    • and on, and on, and on… 

    The problem is that most mainframe code does very little to protect itself. The original risk model is a 3270 green screen dumb terminal running in a locked down environment with fairly hardcore presentation layer access control (generally a menu system) being used by trusted staff members who liked their jobs. That same code is now not only well past the age of consent, it’s done the binge drinking thing, grown a goatee, moved out of home, shaved the goatee, and is thinking seriously about starting a family. And suddenly, it’s being hooked up on a blind date with code of negotiable value who likes to party by picking up all the keys in the bucket. Metaphorically speaking. You know where this is going. In a typical web application scenario, we have the following architecture:mainframe-security-architecture.pngThe usual problems we have here include:Authentication We talk to MQ via… one single connection. So does the database. So what’s the big deal? Well, in many systems, database queries are designed with this in mind. If you don’t, we have direct object reference attacks which result in loss of fine grained authorization. But let’s assume our data architect was clued in, and we see SQL like this:

    SELECT * FROM orders WHERE orderID = ... AND userID = ...

    or

    SELECT * FROM orders WHERE orderID = ... AND roleID in (SALES_ROLE, MANAGER_ROLE, ...)

    This prevents the attacker from seeing records which are not owned by the user, or in the latter case within the correct role. Mix and match to suit your requirements.Back the mainframe. We talk to the mainframe through something like MQ or SNA Server. The mainframe is running a piece of code written explicitly for a 3270 or 5250 terminal using menu level security or even better with a proper protection profile from RACF. Back in the day, each of these semi-smart terminals had their own logical address (LU) telling the sys prog who was logged in, where it was, and way more importantly… that a trusted staff member was doing stuff.When exposing mainframe transactions to the enterprise, the industry’s first shot at SOA was the Enterprise Message Bus, later renamed Enterprise Service Bus and lately seen down in the docks sporting the SOA name tag now that we’re doing exactly the same stuff as we were doing in the early 90s … using unreliable web protocols instead of reliable mechanisms like MQ, Biztalk or SNA Server.Next week, we start to see why it’s important to not only impersonate the correct user, but not to give the transaction more privileges than you need. 

  • Pizza. Check. Violet Crumble. Check. Biggest Loser. Check! All systems go!

    I don’t know why I do it, but I invariably wobble on diets on Tuesdays. So I’m doing the only thing I can – I watched the Biggest Loser with a few slices of Hawaiian pizza, a diet Pepsi, and a Violet Crumble to wash things down to get a bit of a sugar rush later.

    I’m down from 155.1 (last Tuesday) to 153.5 (last Saturday). Which is 1.6 kg. Which is 1% of my body weight. Sweet.

    Been a good boy except for tonight, so with some luck, I will not bounce back too much this coming Saturday from the pig out session.

    The folks on Biggest Loser are doing much better than I am – one guy made 100 lbs tonight, which is 45.5 kg in either 9 or 12 weeks (it’s not clear from the program as they wobble themselves on timelines). That really can’t be healthy, so I prefer my 1% body fat loss. If I keep that up, I’ll be truly svelte in 2009 or thereabouts.

  • No more excuses – weight loss starts now

    I’m home for the foreseeable future, so it’s time to stop blaming being on the road for getting the right food down my neck, and not exercising.

    It is difficult to get high quality, low sugar, low GI foods in the USA. There is a myth that everything is high fat here, but it’s a myth. Sure, there are heart attacks on a plate, but you have to go find them or make them yourself. I think the bigger problem is serving sizes and high sugar content, rather than the fat content.

    A good example is butter. Butter is the devil here – it’s practically impossible to get real butter at a sandwich bar. You can get butter at the supermarket if you look hard, but the stuff put out at restaurants is rarely butter. A customer I visit regularly has a cafeteria at which it’s hard to eat badly at … except it is easy to get lots of mayo, ranch dressing and other tasty condiments slathered on your sandwich which are far, far worse than butter. Tuna salad is not precisely “salad”, but full fat mayo and tuna. Most sandwich stuffings have a creamy, high fat texture.

    We were at the supermarket earlier tonight, doing the first weekly shop for my new food choices. It took a long time, and cost a lot of money. I was a bit shocked at the check out. Sure we bought a LOT of things you don’t need if you buy pizza every night. I now have the hugest collection of spices and seasonings I’ve ever owned at any time in my adult life. Our shop came to $320. That’s close enough to $AUD 350. I hope that future weeks will not be so expensive as we will not be buying 20 or so spices.

    Shopping took nearly as twice as long as our normal shop. A typical example is searching the nutrition panels on about 20 different margarines, I found the lightest, least sodium enriched margarine with no sugar (hard!). You have to be careful to avoid buying things with unnatural sugar additives content – “normal” US butter is churned with sugar (to create “whipped” butter), and pretty much all the bread is sickly sweet with sugar. That row in the supermarket literally stinks to my Australian nose, even after nearly a year of being exposed to funny tasting bread. Tanya threw up there tonight – the first time she’s puked in the supermarket.

    The margarine folks don’t use “margarine” – they use “spread”, but it’s margarine. I found a “lite” version of ICBINB, which had 85 mg sodium and 50 calories per tbsp. I then compared that to the full strength butter we normally use, and it has 85 calories and 85 mg sodium per serve. That actually puts our full fat butter in the lower end of the various margarines, and only a bit worse than the probably less than pleasing “lite” spread I nearly bought. For the amount of butter I use in a week (about 2 tbsp), it’s just not worth it to take the hit in taste. I took the same view with milk (4% fat is “light” for most foods) until I started having breakfast every day. Now, I am on 2%, and there’s only a minor taste difference.

    I think cost and serving size is the reason why US folks are a bit chubbier overall than most countries. It costs a lot more to eat healthy here than it does to buy a “Man sized” frozen dinner, or to go out and buy a massive serve at the local diner or chain restaurant. Despite this, most US folks are not that fat, despite the constant bleating in the media and the impression we get back in Australia. I think there is one other person in my company of a comparable size to me. The rest are skinny and lead active lifestyles.

    Serving sizes are killer here. You can easily buy a meal, cut it in half and take half home with you. Most restaurants have an ample supply of boxes to do exactly that. Considering how litigious the US is, I’m surprised the lawyers don’t step in and stop places from doggy bagging stuff so as to prevent lawsuits from customers who take food home in a white foam box with no reheating instructions and subsequently get sick.

    My problem has always been serving sizes. I don’t have an “off” switch. I will eat until I am physically incapable of eating any more – I feel awful for hours afterwards. I ordered a 12 oz steak tonight. I have no idea how big that is in real measuring sizes. So I’ve bought a set of precision Salter scales, good for +/- 0.1 g to 3 kg. That will help immeasurably as I work in metric and all the stuff I buy are in legacy units and my recipe books (and my brain) are in metric.

    Talking about scales, I nearly bought a set of Weight Watchers digital scales at Bed Bath and Beyond. I’m still thinking about it. This scale is a lot more accurate (+/- 0.1 kg calibrated to 180 kg) than my current scales, which only go to 150 kg and +/- 0.5 kg after 100 kg. I think I’m heavier than 150 kg as my barometer pants no longer fit. But my scales read 150-152 kg all the time. There are scales at the gym, but I don’t know if they reach my current weight (probably) or if they are calibrated (probably). Worst of all, I’d have to convert back from the legacy “customary” units they use here to metric. The last is the most likely reason to buy scales. But whilst I am so heavy, I think weighing myself is a moot point unless I start eating well and exercising.

    Last week, we bought more shorts and t-shirts for me, so I can go to the gym the entire week without having an excuse not to go. I walked 25 minutes yesterday, and we were doing shopping for nearly three hours today. It’s my plan to go to the gym initially three times a week for an hour (which equates to about 40-45 minutes on the equipment), and walk 20-30 minutes two more days. I’ll bump it up when I feel I’m no longer feeling out of breath.

    So, there you go. I have a week’s worth of expensive, healthy food. Two days of exercise down, and two days of following the eating plan with only one minor blow out (too much meat tonight). Let’s see how I go next week. As weight loss is not the current focus of this blog, if you want to follow my travails, use the “Weight loss” page tab above.