Most public relations flacks stop inundating me with unwanted press releases after I kindly ask them to. But others… others just don’t learn. And sometimes, like today, those others send me PR mails about sappy poems for pregnant women. (Seriously.) And then I have to write them e-mails like this:
My dear Karen,
On Sep. 26, in response to your e-mail, I sent you a link to my policy on unsolicited PR e-mails.
Your latest love letter, however, troubles me deeply. It’s not that it’s again unsolicited, or that it still contains no way to opt out of future communications, or even that it contains bad English — “all expectant mother’s should have” is not, in fact, a possessive construction, but a simple plural. That much is roughly par for the course. No, the troubling part is that you’re sending me a letter about poetry for new moms. Are you trying to say I look fat in these khakis?
Surely you didn’t write to discuss the book’s themes — the miracle of life, God’s plan for the family, or the birth of an angel — given that I believe neither in miracles, nor gods, nor angels. (With the exception of Angel, the brooding vampire with a soul and a heart of gold in Joss Whedon’s Emmy Award-winning TV show Buffy the Vampire Slayer. Have you watched it? Angel’s badass.)
So I suppose the fact you sent me this letter is in itself a kind of miracle: a miracle of unbelievably, mindbogglingly, hilariously bad targeting. Don’t you guys have databases for this stuff?
Karen, clearly our illicit and torrid e-mail affair left a lasting impression on both of us. It seems like only last month that I whispered sweet nothings — of the “please send me nothing more” kind — in your inbox. But you know things were never meant to be between us. You have to be strong and move on. I have.
Maybe if we had tried couples counseling in time?
Love always,
Ivan.
No word yet from Karen. I think I broke her heart.
This past Thursday, former Fed chairman Alan Greenspan testified about his role in the economic crisis before the House Oversight and Government Reform Committee headed by Rep. Henry Waxman. While a vocal chorus of critics, including at least two economics Nobel Prize winners, contend Greenspan is largely responsible for the market collapse, Greenspan thus far maintained he was entirely without blame. Yet his congressional testimony sounded, at times, unexpectedly contrite. The parts I found most interesting:
Alan Greenspan: Uncritical acceptance of credit ratings by purchasers of these toxic assets has led to huge losses. It was the failure to properly price such risky assets that precipitated the crisis. In recent decades, a vast risk management and pricing system has evolved, combining the best insights with mathematicians and finance experts, supported by major advances in computer and communications technology. A Nobel Prize was awarded for discovery of the pricing model that underpins much of the advance in derivatives markets. This modern risk management paradigm held sway for decades. The whole intellectual edifice, however, collapsed in the summer of last year, because the data inputted into the risk management models generally covered only the past two decades, a period of euphoria. [...]
I made a mistake in presuming that the self-interest of organizations, specifically banks and others, were such is that they were best capable of protecting their own shareholders and their equity in the firms. [...]
I found a flaw in the model that I perceived is the critical functioning structure that defines how the world works, so to speak.
Chairman Waxman: In other words, you found that your view of the world, your ideology, was not right, it was not working.
Alan Greenspan: Precisely. That’s precisely the reason I was shocked, because I had been going for 40 years or more with very considerable evidence that it was working exceptionally well.
The Times has a summary, and a complete preliminary transcript is available from the Committee website, which includes the prepared statements that were delivered. If you’re looking to figure out more of how the crisis came to be, skimming the transcript is a good place to start. And the Times’ Bits blog has a fascinating post putting Greenspan’s comments about risk management systems in context. In short, computers don’t help if you lie to them.
I have three observations about Finland: it’s cold, expensive, and there are little naked people in the headboard of my hotel bed. (Stay classy, Radisson SAS.)
I was in Helsinki last week to deliver the keynote at T2, a phenomenally organized little security conference that attracts some very smart people. At less than a hundred attendees, it’s a much more intimate and social conference setting than I’m used to, and I just had a blast.
My talk on the bitter and miserable tale that is desktop security was two hours long, which is about double the length of my usual keynotes. In preparing the presentation, I pulled together a lot of material that I had floating around in various places, and I’ve decided to turn the result into a longer essay on desktop security in lieu of posting my slide deck directly. Until I do so, let me share a few conference highlights.
Outpost24‘s Jack Louis and Robert E. Lee, two American expats now living in Sweden, gave an amusing demo of their sockstress TCP/IP state table attacks, which have been getting some attention lately. They’re working with vendors and didn’t make public any technical details of the attacks, but the attacks do look Very Serious. They also look rather misunderstood. This isn’t Yet Another Connection Flood or a SYN cookie problem. The demo brought a fully-patched XP machine to a complete freeze in about three minutes with only 30-40 (malicious) connections per second, and network utilization at the victim floating around 0.1% of 100Mbit/s. I have several ideas about what’s happening and hope to independently verify some of the attacks in the lab, but at first glance, these guys have only scratched the tip of the iceberg in what’s a rather unpleasant class of attacks. We’ll probably be dealing with this mess for a good, long while.
Sockstress demo. Pinball on the victim machine starts lagging and then comes to a total standstill with the rest of the OS in a few minutes.
The Pirate Bay‘s founder, TiAMO, gave a talk with Toolcrypt‘s olleB about IPETEE, their idea for a mass-deployed, application-transparent opportunistic encryption system to prevent wide-scale passive wiretapping on the Internet. The original proposal made me very uneasy, being an obviously amateur design with highly questionable design choices; I spent some time talking to the guys, and as I suspected, they’ve done neither protocol design nor crypto before. Luckily, they’re quite sharp and very good sports, and after several conversations, I think I’ve convinced them to consider making IPETEE just a zero-configuration transparent (D)TLS/AES-CTR implementation with null certificates. It looks like this can be massaged into addressing their threat model and design requirements fully, and might actually make a pretty neat system.
Yes, this man runs the website that continues to have great success pissing off the world’s most powerful media lobbies. He’s also great fun to drink with.
Finally, the Finnish security giant F-Secure is headquartered a subway stop away from the conference hotel, and their research chief Mikko Hyppönen kindly invited me over for a tour of their lab. F-Secure does a lot of excellent malware research work, and a look at their backend tools paints a frightening picture. They currently operate a 17TB malware archive consisting of about 14.5 million samples — managed, of course, through a Python web frontend. They’re receiving 50 thousand malware samples a day, of which 15-20k are unique, and have some frightening visualizations including a real-time overlay of viral infections and botnets within Google Earth. I also took a look at their cell phone malware testing lab which, through a partnership with Nokia, is able to simulate a real GSM “red” network for securely examining malware which sends SMS or MMS messages, or otherwise requires cellular connectivity.
Execution flow visualization for the Bagle worm. Boxes are subroutines; they start blue and turn red when invoked.
And how do they keep the cell phone viruses they’re examining from spreading wirelessly? They do all the testing in a walk-in Faraday cage, of course! “35 GHz, stops everything,” Mikko tells me excitedly, then for a split second sounds crestfallen: “Except radar.” (I have it on good authority that Apple isn’t planning to add a radar dish to the next version of the iPhone, so Mikko has little immediate cause for concern.)
T2 is an excellent conference, and I had a great time with some very fun people — if you can attend, I recommend it wholeheartedly.
The T2 speakers’ dinner, at the excellent restaurant Lappi.
