Tales from the Crypto

         Alun Jones (Security MVP Reconnect) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.

March 3, 2009

Microsoft TechFest

Last week, I went to Microsoft’s TechFest as part of their “Public Day”. This is the first time MVPs as a group have been invited to this event, and although it’s clear we missed some of the demonstrations that are not public-ready, this is something that I hope can be extended to us in future, even if only to Washington-state MVPs

For general news links on MS TechFest 2009, you can search news.google.com for “TechFest”. Here’s a couple of samples:

http://www.king5.com/video/index.html?nvid=335707 – I didn’t see these guys there.

http://www.guardian.co.uk/technology/blog/2009/feb/25/microsoft-software – I bumped into this guy.

I also saw Chris Pirillo there from LockerGnome and Chris.Pirillo, but he hasn’t written anything yet. I only mention him because it’s about time that I thanked him for being one of the earliest online writers (they were called “e-Zines” back then, apparently) to mention WFTPD in his column. Sadly, I don’t have a copy to remember what it is that he said 🙁

Apologies to anyone who expected to reach me by email that day – the usual computers spread around the Microsoft Conference Centre for email and web browsing were missing, possibly because the Press were there, and they’ll steal anything that isn’t nailed down, before coming back with crowbars.

So, here’s some description of the things I saw, ranging from the exciting and relevant to the “why is Microsoft spending money on that?” [Note that this is not meant to be disrespectful of ‘pure research’ – often, today’s “useless meanderings” become tomorrows product – WFTPD itself started from a momentary “how hard can it really be?” lapse in my own judgement, followed by a little research and a lot of effort.]

Specification Inference for Security
To improve focus on potential security faults in static analysis tools, this is a toolset whose approach is to divide functions into Sources, Sinks and Sanitizers (although that alliteration is liable to lead to confusion) – Sources generate untrustworthy data from input, Sinks consume data that they trust will fit their expectations, and Sanitizers transform the data along the way, ideally making sure that it goes from untrustworthy to trusted. Thinking in terms of a SQL injection, the Source would be a web server receiving input from a user containing a SQL command, the Sink would be the SQL server, and the Sanitizer would be whatever code packages the input and determines whether to pass it to the SQL server, and what changes to make (such as requiring proper quoting, or using a stored proc or parameterized query). Once these categorizations have been made, the static analysis tool can check that Sanitizers actually do sanitize – rather than having to try and analyse every function for possible sanitization. http://research.microsoft.com/merlin
Concurrency Analysis Platform and Tools
Enhances your test tool set by allowing tests to run with multiple permutations of concurrency. Race conditions are usually caught by users, or in production environments, because the environments cause different threads or processes to run at different speeds – with this toolkit, you get to try out multiple combinations of execution sequence, so that you are more likely to trigger the race condition. Of course, you still have to write tests that consider the prospect of doing more than one thing at a time, and because there are a large number of concurrency permutations, it’s not a turn-key solution, but it does allow you to debug concurrency issues more methodically, and catch those that appear more frequently. http://research.microsoft.com/chess – and this one’s available for download as an add-on to Visual Studio!
Lightweight Software Transactions for Games
Not just for games, the ORCS platform (Object-based Runtime for Concurrent Systems) makes coding multi-threaded applications easier and more problem-free. http://research.microsoft.com/orcs
Closed-Loop Control Systems for the Data Center
Power consumption monitoring and control allows for servers to be brought online or offline as computing demands change, so that as usage ramps up, more servers are turned on, and as usage declines, servers are turned off. I don’t think this is entirely original.
Algorithms and Cryptography
Cryptographic solutions with leakage. Unfortunately, the lady who came up with this wasn’t on hand to discuss her work, and her husband standing in for her didn’t seem to understand much about it either. The poster claimed an algorithm whereby you could leak some of your key to an attacker without reducing the strength of the key. I’m not sure how this works, or where it differs from having redundant information in the keys, or something like M of N crypto, but maybe it’ll be something that will affect our field in the years to come.
Opinion Search
Full of marketing jargon and too dense for me to penetrate, this is something that we could potentially use in the business side of Expedia, making use of customer opinions to allow search results to match the user’s opinion against the opinions of others with whom they have consistently agreed in the past, and can be expected to do so in the future.
Low-Power Processors in the Data Center
Using Netbook processors for data processing in a parallel environment allows for significant power savings.
Audio Spatialisation and AEC for Teleconferencing
Relying on the rise of computer-phone integration, and the fact that most computers have stereo speakers, this is a system for teleconferencing where different parties are given a different spot in the stereo spatialisation. Makes it much easier to tell who’s talking.
Surface computing taken to another level, literally. The surface on which images are projected is usually a light diffuser, so that the image effectively “stays” on the surface. In this implementation, the surface is rapidly switched between diffuse and transparent, so that you can use a secondary diffuser surface on top, which shows a different image. You have to see a demonstration to understand it – mms://wm.microsoft.com/ms/research/projects/secondlight-cambridge/secondlight.wmv – it’s a little flickery, in real-life too, but the team assured me that it can be made less so.
Commute UX – Dialog System for In-Car Infotainment
Will this stop executives requesting shorter passwords for unlocking their phone while driving? Probably not.
Back-of-Device Touch Input
Anyone using an iPhone or similar touch-based device will be familiar with the issue that your fingers are covering the image you’re trying to manipulate. By putting a sensor panel on the back of the device, you can reduce the size of the display without making it impossible to read while you select.
Augmented Reality
Combining GPS location with stock footage of the place you’re in, this is all about placing extra information into a view (such as a cell-phone with a video camera, or maybe eventually a heads-up display in glasses / goggles) of the world around you, by recognising where you are. Can be used for games, directions, advertising, city guides, or post-it notes without the paper.
Recognizing characters written in the Air
Entertaining just to watch people dragging an apple around to make letters on a screen in front of them. Probably more useful in the mode where the lid of an OHP pen is the “bright spot of strong solid colour” being tracked in mid-air.
Colour-structured Image Search
Draw a rough colour picture of the image you want to see, and get a page of search results from around the web. The demonstrations consisted of drawing pictures of flowers, or flags, or a sunset. I foresee widespread abuse once deployed, although it will mean that people who usually draw on bathroom walls will be moving their talents online.

RSS feed for comments on this post. TrackBack URI

Leave a comment

© 2017 Tales from the Crypto   Provided by WPMU DEV -The WordPress Experts   Hosted by Microsoft MVPs