climate change activist and science communicator; photographer; mapmaker — advocate for a stable global climate, reduced nuclear weapon risks, and safe human-AI interaction
Posts about the internet
By the time anyone is reading this, I will be well on my way to Snowdonia with the Walking Club. Rather than make this the longest pause in blogging in recent memory (four days!), I have queued up some short entries with images.
This post is a fairly esoteric one, of interest only to people who are either using WordPress of thinking of setting up a WordPress blog. It details two little programming tricks that improve the WordPress experience. Continue reading “Two useful WordPress hacks”
One research tool that surprisingly few people seem to know about is the Wayback Machine, at the Internet Archive. If you are looking for the old corporate homepage of the disbanded mercenary firm Executive Outcomes, or want to see something that used to be posted on a governmental site, but is no longer available there, it is worth a try.
Obviously, they cannot archive everything that is online, but the collection is complete enough to have helped out more than a couple of my friends. People who operate sites may also be interested in having a look at what data of yours they have collected.
The following is the article I submitted as part of my application for the Richard Casement internship at The Economist. My hope was to demonstrate an ability to deal with a very technical subject in a comprehensible way. This post will be automatically published once the contest has closed in all time zones.
Cryptography
Making a hash of things
Oxford
A contest to replace a workhorse of computer security is announced
While Julius Caesar hoped to prevent the hostile interception of his orders through the use of a simple cipher, modern cryptography has far more applications. One of the key drivers behind that versatility is an important but little-known tool called a hash function. These consist of algorithms that take a particular collection of data and generate a smaller ‘fingerprint’ from it. That can later be used to verify the integrity of the data in question, which could be anything from a password to digital photographs collected at a crime scene. Hash functions are used to protect against accidental changes to data, such as those caused by file corruption, as well as intentional efforts at fraud. Cryptographer and security expert Bruce Schneier calls hash functions “the workhorse of cryptography” and explains that: “Every time you do something with security on the internet, a hash function is involved somewhere.” As techniques for digital manipulation become more accessible and sophisticated, the importance of such verification tools becomes greater. At the same time, the emergence of a significant threat to the most commonly used hashing algorithm in existence has prompted a search for a more secure replacement.
Hash functions modify data in ways subject to two conditions: that it be impossible to work backward from the transformed or ‘hashed’ version to the original, and that multiple originals not produce the same hashed output. As with standard cryptography (in which unencrypted text is passed through an algorithm to generate encrypted text, and vice versa), the standard of ‘impossibility’ is really one of impracticability, given available computing resources and the sensitivity of the data in question. The hashed ‘fingerprint’ can be compared with a file and, if they still correspond, the integrity of the file is affirmed. Also, computer systems that store hashed versions of passwords do not pose the risk of yielding all user passwords in plain text form, if the files containing them are accidentally exposed of maliciously infiltrated. When users enter passwords to be authenticated, they can be hashed and compared with the stored version, without the need to store the unencrypted form. Given the frequency of ‘insider’ attacks within organizations, such precautions benefit both the users and owners of the systems in question.
Given their wide range of uses, the integrity of hash functions has become important for many industries and applications. For instance, they are used to verify the integrity of software security updates distributed automatically over the Internet. If malicious users were able to modify a file in a way that did not change the ‘fingerprint,’ as verified through a common algorithm, it could open the door to various kinds of attack. Alternatively, malicious users who could work backward from hashed data to the original form could compromise systems in other ways. They could, for instance, gain access to the unencrypted form of all the passwords in a large database. Since most people use the same password for several applications, such an attack could lead to further breaches. The SHA-1 algorithm, which has been widely used since 1995, was significantly compromised in February 2005. This was achieved by a team led by Xiaoyun Wang and primarily based at China’s Shandong University. In the past, the team had demonstrated attacks against MD5 and SHA: hash functions prior to SHA-1. Their success has prompted calls for a more durable replacement.
The need for such a replacement has now led the U.S. National Institute of Standards and Technology to initiate a contest to devise a successor. The competition is to begin in the fall of 2008, and continue until 2011. Contests like the one ongoing have a promising history in cryptography. Notably, the Advanced Encryption Standard, which was devised as a more secure replacement to the prior Data Encryption Standard, was decided upon by means of an open competition between fifteen teams of cryptographers between 1997 and 2000. At least some of those disappointed in that contest are now hard at work on what they hope will become one of the standard hash functions of the future.
Using Yahoo Pipes, a neat visual tool for making simple web applications, I made an RSS feed that aggregates new blog posts, blog comments, changes to the wiki, and 43(places/things/people) contributions. While this particular feed is probably only of use to me, people may well find the architecture useful for doing other things.
While it will probably never be the case that you can do serious computer engineering without knowing how to write code, tools like this are a good way to deal with the fact that the vast majority of computer users will never write Java or PERL. Designing interfaces which are both flexible and comprehensible to non-experts is quite a challenge, but certainly one worth taking up. Much of the momentum behind blogs is simply the result of the fact that they can be set up and operated by people who have never needed to deal with a command prompt or the configuration of a web server.
If we were allowed to run a wireless network, I would think very seriously about buying a WiFi Skype phone – a product distinctly more novel than the much touted Apple iPhone.
Basically, you have a little device that looks like a cell phone. It searches for wireless networks, connects to one if available, and then uses it to make calls using Skype. More people should use Skype. Calls to anyone who is online are free (as is always the case with Skype) and those to normal phones are cheap (two cents a minute to Canada, from anywhere in the world). For those in the UK, there is a deal right now: a Skype WiFi phone, a wireless router, 900 SkypeOut minutes (to call normal phones), and a year’s worth of voicemail for £99 ($230).
Not having to use a computer, and being able to use the phone anywhere there is a wireless network are pretty excellent features. Of course, the real fun will begin when somebody makes a combined device that can access GSM cellphone networks at times when WiFi is unavailable, but otherwise routes calls through Skype.
Be warned, GoDaddy is having trouble with their servers again (especially the MySQL servers). This they confirmed when I called them a few minutes ago. Bits of the site keep popping in and out of existence, so bear with it while they continue to engage in whatever form of sorcery they have been building up towards for the last few days. All parts of the blog and wiki have been affected, and the tech support people say they don’t know when it will end.
One of the oldest problems in cryptography is key management. The simplest kind of cryptographic arrangement is based on a single key used by however many parties both for encryption and decryption. This carries two big risks, however. In the first place, you need a secure mechanism for key distribution. Secondly, it is generally impossible to revoke a key, either for one individual or for everyone. Because of these limitations, public key cryptography (which utilizes key pairs) has proved a more appropriate mechanism in many applications.
Once in a while, now, you read about ‘unbreakable’ cryptography based on quantum mechanics. The quantum phenomena employed are actually used for key generation, not for the actual business of encrypting and decrypting messages. Like the use of a one-time pad, the symmetric keys produced by this system hold out the promise of powerful encryption. Of course, such systems remain vulnerable both to other kinds of cryptographic attacks, particularly the ‘side channel’ attacks that have so often been the basis for successful code-breaking. Recent examples include the cracking of the encryption on DVDs, as well as Blu-Ray and HD-DVDs.
An example of a side-channel attack is trawling through RAM and virtual memory to try and find the password to some encrypted system. When you login to a website using secure socket layering (SSL), the data sent over the network is encrypted. That said, the program with which you access the site may well take the string of text that constitutes your password and then dump it into RAM and/or the swap space on your hard disk somewhere. Skimming through memory for password-like strings is much less resource intensive than simply trying every possible password. Programs like Forensic Toolkit by AccessData make this process easy. People who use the same string in multiple applications (any of which could storing passwords insecurely) are even more vulnerable.
As in a large number of other security related areas, people using Apple computers have a slight advantage. While not on by default. if you go into the security menu in the system preferences, you can turn on “Use secure virtual memory.” This encrypts the contents of your swap space, to help protect against the kind of attack described above.
The real lesson of all of this is that total information security can never be achieved. One just needs to strike a balance between the sensitivity of the data, the probability of it coming under examination, and the level of effort that would be required to overcome whatever security is in place.
PS. My PGP public key is available online, for anyone who wants to send me coded messages. Free copies of the encryption software Pretty Good Privacy (PGP) can also be easily downloaded.
Proving the adage that technology is actually driven by evil spirits who let it fail just when it is most inconvenient: the MySQL database that serves as the back-end to my wiki has chosen this morning – an hour before I need to give a presentation stored in the wiki – to go kaput. SQL failures have been an irksome occasional occurrence with GoDaddy hosting. Good thing I printed off a PDF version of the presentation before going to sleep.
Oywg, gk eygcwylw vfmfkghtamdv trzknrz utg fwbyuyq zu lf ezx dvpyu dxiggmkn – ljae tw wt jec vvq wph whv cozi sax ej bv – lwwlmme sya L srqm oip tb zxfpbum gx uckf hui vchuwzbv um pufs ntw ar wvtaiebrtvwa woro oec. Hbc, O prgw tu lpff gr gczi qp okts l pdxk hmwqt iyiveedogmsa hr kwv Ugrpvxaw Zvrtbfhs, eje cy wtvxl pgmkg nmfgl gz exivc. (CR:ISM)
Studying at Oxford? Interested in Strategic Studies? Web savvy? If these characteristics apply to you, consider nominating yourself to be the next webmaster of the Oxford University Strategic Studies Group. At present, I am serving in this capacity, but I will be leaving Oxford at the beginning of July.
The workload is very reasonable: uploading a termcard in HTML and PDF format once a term and then formatting speaker biographies and photos for each week of term time. Documentation that describes all of these processes, step by step, will be available. No coding skill is necessary; indeed, anyone who can run a blog can use Mambo, the content management system behind the OUSSG site. Basic knowledge of FTP use, HTML, and photo cropping would be assets.
Nominations for President, Vice-President (my other current role), and Secretary open at this Tuesday’s meeting at 8:30pm in All Souls College. Anyone interested in the webmaster position should contact any member of the executive in person or by email.
WordPress Upgrade Chain:
Report bugs. Upgrades like this always make me nervous.
Papa Fly Productions and the nsn section should change over during the next couple of days, once I have kicked the tires here a bit.
[Update: 29 Jan 2007, 5:00pm] nsn portion upgraded to 2.1
[Update: 29 Jan 2007, 6:00pm] Papa Fly Films upgraded to 2.1. I was nervous about theme compatibility, so I made a full backup of the 2.0.7 install beforehand.