Uncategorized – Page 3 – Tales from the Crypto

Uncategorized

Time changes man; man changes time.

Because of a project I was involved with over a decade ago, I have an abiding interest in the algorithms and heuristics people use to tell time and dates on computers.  [It’s also why we didn’t have any Y2K issues with WFTPD and WFTPD Pro, although we will have Y2K36 issues]


Every so often someone will ask me why computers can’t get times and dates right.


The biggest reason is that time is relative.  Even if you’re not talking about General Relativity effects, where your acceleration or local gravity affects the relative speed with which time travels, there’s the simple issue that the clock inside your computer is not running at quite the same speed as the clock inside mine.


But that’s okay.  The time setting is allowed to drift – the software in your system allows for adjustment of the clock either manually, or by reference to an external source, and most network applications that care to know about time expect that the two ends of a network connection may differ by several seconds, maybe even minutes, if they are not required to be synchronised with a central time source.


Those applications that are required to keep historical information have a different challenge – you see, a date has to contain information not only about when it was, but where it was as well.  George Washington’s birthday and age are often specified rather vaguely, because he was born just before the date (February 1752 – March 1753) when Britain and her territories changed from the Julian calendar to the modern Gregorian calendar.  This brought our modern leap-day system into effect in those countries, and since the rest of Europe had already been on the Gregorian calendar for several years, we had eleven days to catch up.  There were some interesting issues there (for instance, let’s say you get paid on a daily basis, but your landlord expects a full month’s rent for the month), even some riots with people demanding their eleven days back.  Oh, and the beginning of the year changed from March to January, just to make things even more confusing.


“I’m glad we don’t have to deal with that kind of thing these days”, you might say.  Oh, but we do.  Every year, various parts of the world artificially advance and retire the time by an hour.  When they do it is more or less random.  Where they do it is more or less random.


The proper answer to all of this should be that we keep all our times and dates in UTC, the Universal Coordinated Time zone, which more or less coincides with GMT, and that we use an offset from that to declare where we are right now, and to show times to people.  It still amazes me when I see programmers missing this obvious step.  It leads to some horrible errors in calculation, which often need to be manually corrected for.  I once had a flight that arrived during the repeated hour on an autumnal daylight saving time change, and because arrival and departure times are printed and displayed in local time format, I had no way to tell how long my flight was, or how much time I had till my connection.


This sort of confusion doesn’t occur very often, but those are just the kinds of bugs that leave users scratching their heads.

Who’s stealing from who?

This is one of those strange blog topics – can’t be written about while I’m experiencing it, but isn’t important enough when I’m not experiencing it to be bothered to write about it.  So I’ll blog it while I’m not even remotely close to being in the middle of it.


Someone reminded me the other day that I used to say that I would not stay long with a company that locks up its stationery supplies, and has asked me why I feel so strongly about this.


The reason is simple, and ties in with my posts about low-hanging fruit and top-ten lists – if you really think that this is where you need to focus your effort in getting your corporate funding sorted out, you’ve got far bigger problems than mere stationery, and you’re just not paying attention to them – maybe you’re even avoiding them.


But it goes beyond that – it goes to the idea that “our employees are stealing from us”.  Yeah, quite probably one or two of them are.  And if you find your employees have a thriving “surplus stationery” stall at the local market, that’s grounds for immediate termination.


Most of your employees, though, are using that stationery to do their jobs.  So they take a pad and pen home… are they stealing from you?  If they are doing so in order to work on some numbers over the weekend to meet an artificially tight deadline, maybe you’re stealing from them!


I’m not against overtime, and I don’t work to set hours.  My bus schedule may require that I say “either I go now, or I stay late and get a cab home”, but I don’t think that’s the same.  But I do find that there are places of work where I’ve been expected to work considerably longer than the agreed-upon hours, with no commensurate change in pay, and where I’ve been unable to acceptably maintain the amount of time I spend with my family.


Ever since the eighties, the corporate environment in the UK and the US has shifted away from the traditional employer / employee relationship and towards treating every employee as an independent contractor, able to be laid-off in an instant, and re-hired when demand resumes.  That’s a result of tighter profit margin planning, and perhaps it’s the way we have to be – but employers are starting to notice that employees no longer feel the same pull of loyalty towards their employers as they used to.


There’s a silver lining to this all, however – if you act as an employer in a way that suggests you trust your employees, and have a loyalty to them, you’ll get the same back in spades, because there’s nowhere else to get that.

Scott Adams is a whiner.

First, let me say I’m one of Scott Adams’ biggest fans.  I am fairly confident in that, since I am significantly bigger than most people, and most people are fans of Scott Adams.


Who he?  He writes and draws the Dilbert cartoon, that’s all.  As such, he is the frequent biographer of my life.


So why do I think he’s a whiner?  Well, it all started with the new job…


My new job is about an hour’s drive away from my allergist.  Since most jobs are reluctant to allow you to take two and a half hours away from your desk once a week, I resolved to get a new allergist.  Okay, so really, my wife resolved to get me a new allergist, because I rarely have the organisation to sort through a list of doctors and find me a new one.


So, she crawls through the list of allergists on the insurance company’s web site, finds one that’s reasonably close, and signs me up for an appointment… which I promptly miss.  I sign up for another appointment a month or so out, as that’s the soonest he’s available, and I come back fifteen minutes early for the appointed time.  I have all the forms filled out, and I hand them over, along with my co-pay, and get shuffled into an examining room.


The doctor comes in to examine me, and asks what I’m looking for him to provide, so I tell him I’d like him to help me with my allergies.  He tells me “I’m not an allergist, I’m an Ontolaryngologist”.  That’s quite some spelling mistake for the insurance company to make. The short version – he’s an ear, nose and throat doctor.  I’ve been to these kind of doctors before, because I used to get terrible ear-aches, and I can’t easily equalise pressure in my inner ears when diving or in a plane.


Since I’ve already paid my co-pay, and the doctor has some time set aside for me, he offers to examine me anyway, and see that I’m in good ontolaryngological health.  Then he makes that noise that car mechanics often do, where they suck air in through their teeth, and you know that your car is going to be theirs for the next week.


“You’ve got a significantly deviated septum.” says the doctor, and suggests that he can fix it.  As he goes to list the litany of symptoms that I might be feeling as a result of the “mechanical restriction of the airway”, I realise he’s describing a bunch of things that I’ve been irritated about for a while – headaches, snoring, yawning, nosebleeds, inability to breathe through my nose most of the time, etc, etc.  And, since I’ve been on a kick lately of eradicating those minor annoyances that perpetually get in the way, I practically jump at the chance for him to operate.


Then I find Scott Adams’ blog, where he talks about the aftermath of his septoplasty – not exactly in great terms.


“as pleasant as … using a rabid porcupine to loofah … having a head that looks exactly like a soccer ball and living in Brazil … being Darth Vader about an hour before he gets the helmet”.


So I spend the month prior to the surgery getting more and more anxious, and wondering if I should try and back out now before the pain happens to me.


Well, last Friday, I went in for the septoplasty.  Quite frankly, I’ve had more painful nosebleeds from someone turning round too fast in a crowded bar with their elbows raised (why do people do that?)  Granted, I’ve got some great medications to make it all dreamy, but I’m sure that one of the most successful living cartoonists had access to those – and don’t think that I get better health care because I work for a health insurance company.  [Looking at some of the people that work in the same building as me, it’s clear that health is not necessarily their priority in life]


So, two days later, and I’m starting once again to breathe through my nose.  Already, I feel better than I was.  In another few days, they’ll remove these “stents” (basically, they cut a ballpoint pen in half, and stuck one half up each nostril to keep it open), and I’ll be up to my new breathing capacity.  Quite frankly, I can’t wait.


If you’re thinking of having the septoplasty yourself, don’t listen to Scott Adams.  It’s not that bad.  Scott Adams is a whiner.

Sometimes it’s good to be a foreigner

Every now and again, I go looking to foreign versions of various web sites – mostly, because of my own background, I go to UK sites (because that’s where I grew up), or US sites (because that’s where I live now).


Here’s a UK gem that US developers aren’t aware of: http://www.microsoft.com/uk/msdn/events/nuggets.aspx – MSDN Nuggets – a 10-15 minute exposition on a developer topic, for people who are too short for time to make it through an entire one-hour webcast (and I’ve met very few developers who can sit still for a whole hour).


Then there’s the sites where I don’t even read the language – but in the case of Microsoft’s Japanese Security pages, you don’t have to!  [Wouldn’t it be nice if the English Security notices included such a simple demonstration of how an attack can proceed?]


Of course, for the most part, the feeling is the other way around – the US sites get all the best offers, the new features, etc, etc, but occasionally local ingenuity allows you to get something useful from a site outside the US.


Broaden your horizons – there’s a whole world of information out there, and it’s all as close as your desk!

Sometimes it’s hard to be a developer…

I’ve spent a while adding new features to my FTP client, and you’ll get to see some of that in a month or two, when it all comes together as a release.


One of the latest is “drag and drop” – and I went searching for advice on how to do the drag and drop from “virtual folders” – i.e. when the files don’t exist locally until you actually do the drop.  So you can’t do the easy method of passing a file location to the drop target.  I found a great document that perfectly describes what I need to do:


“Handling Shell Data Transfers”


Great, clear, simple advice (simple, if you’re a developer) on how to do drag and drop – and it serves a second purpose, that of cut/copy and paste.


So, I get the drag and drop working, and then I go to look at the cut/copy and paste, and add the few lines of extra code needed.


It doesn’t work.


I realise quickly that the following lines are the problem:



7. When the paste is complete, the target calls the IDataObject::SetData method with the CFSTR_PASTESUCCEEDED format set to DROPEFFECT_MOVE.


8. When the source’s IDataObject::SetData method is called with the CFSTR_PASTESUCCEEDED format set to DROPEFFECT_MOVE, it must check to see if it also received the CFSTR_PERFORMEDDROPEFFECT format set to DROPEFFECT_MOVE. If both formats are sent by the target, the source will have to delete the data. If only the CFSTR_PASTESUCCEEDED format is received, the source can simply remove the data from its display. If the transfer fails, the source updates the display to its original appearance.


No matter how much I try, I can’t get CFSTR_PASTESUCCEEDED into my SetData method.  I get the CFSTR_PERFORMEDDROPEFFECT format, so I know I’m setting it up correctly, but I get no CFSTR_PASTESUCCEEDED.


Days of trying different code, different ways of triggering the paste, go by, and I finally realise that there is no CFSTR_PASTESUCCEEDED coming from Windows Explorer – and since this is the de-facto drop target, that’s exactly the model that is going to be followed by every other drop target I’m going to meet.


I’d really love to tell Microsoft about this, and get the documentation fixed.  This used to be dead easy – I’d click on the “SDK Feedback” button, and send an email.


No “SDK Feedback” button any more.


Why not?  Where did it go?


What’s in its place?  Nothing terribly useful – a link to a web page that I can fill in.


Can I attach a file of source code to demonstrate this?


No.


Can I italicise words that are important?


No.


Does the web page offer any extra capabilities that can’t be done in an email?


No.


So, why did this happen?  Beats me.


I finally decided to give up and ignore CFSTR_PASTESUCCEEDED entirely.  It seems superfluous.  I do find it thoroughly irritating that my time is wasted once again, because I tried to follow specific documentation that turned out not just to be wrong, but to have unnecessary, and incorrect, extra detail.  This isn’t the first time (the last time was when I was following documentation on how to close SSL connections), and I doubt that it will be the last.

Statistics and the news.

News coverage gets me irritated whenever statistics are mentioned.


This morning’s example (paraphrasing): “South African gays are upset about discrimination in blood donation; their donations are being refused, despite the fact that the majority of HIV cases in the country are in heterosexual women.”


I’m not wondering if there really is or isn’t a case of discrimination going on there; what irritated me is that there’s actually no valid statistical link between the two clauses of the sentence.


That’s one example; it’s on NPR, so I’d have thought they’d take a moment to get it right. Here’s another example from New Scientist magazine, who should know better (I’m paraphrasing again):


“A survey of accident victims indicates that more of them have cellphones than the general population, demonstrating that people who have cellphones are more likely to have accidents.”


No, no, no. It demonstrates that people who have accidents are more likely to have cellphones; maybe cellphones appeal to people who drive aggressively!


Notice that neither of my examples are cases where the statistic actually disproves the claim made in the accompanying article; only that they do not lend any valid credence to the claim.


What’s your favourite example of – not a maliciously misused statistic, so much – a statistic that, to the educated reader/listener/viewer, does nothing to prove the claim being made?

Security Koan #1

A user and a security engineer arrived at the business site together.

The user placed his bicycle against the wall, and walked
towards the door.

The security engineer stopped him and said “You forgot to
lock your bicycle.”

The user thanked the security engineer, and went back to lock
his bicycle.

On the way, he noticed the security engineer’s bicycle was leaning
against the wall, unlocked.

“You forgot to lock your bicycle,” the user called to the
security engineer.

The security engineer responded “No, I didn’t.”

Microsoft makes the world safe for porn.

Catching many security professionals by surprise, Microsoft has released an “off-cycle” patch for the recent WMF exploits:


http://www.microsoft.com/technet/security/bulletin/advance.mspx


http://www.microsoft.com/technet/security/Bulletin/ms06-001.mspx


A couple of things to note:



  1. Off-cycle means that Microsoft thought that this was important enough to ship early.  That’s a hint that they reckon that a significant number of their users will be affected by this, and the influx of new tech support calls and bad PR due to the patch will be less than the influx of new tech support calls and bad PR due to the exploit.

  2. Microsoft have been getting much better at providing reliable patches, so that “significant number” should actually be relatively low in percentage terms.

  3. The behaviour being exploited is not a buffer overflow.  It’s doubtful whether you can call it a bug.  It’s by design.  The WMF design is lifted straight from the API instructions you’d send to a printer, and those APIs allow the calling program to specify “in the event of an error rendering this image, call me back”, and provide an address to call into.  Where this breaks is in allowing a data file to contain that code.

  4. Data files are code.  Code files are data.  There is no spoon.

  5. Unofficial patches are generally inadvisable, for most users.  “To avoid unknown third parties installing code on my machine, I will install code on my machine from an unknown third party.”  Make sure you have reason to trust any third party whose code you install.  Maybe the unofficial patch floating around for the WMF exploit is good and trustworthy, but it’s a risk you should consider.

Happy New Year!

It’s now officially 2006, at least in UTC – so I’m going to ask the following simple question:

What did you do with your extra leap second this year?

In related news, it’s worth noting that the US government is pushing for the leap second to be abolished.

Whuh?

I haven’t looked into it, but this seems to be really stupid. Most devices I’ve used fall into one of three categories:

Inaccurate

These devices (or their owners / administrators) can’t keep time to anything like a second over a year, so they aren’t going to notice a change of a second, whether it’s added at the end of the year, or phased in throughout the year by making seconds longer.

Remotely set

I got one of these this year – a watch that receives a signal from the NIST giving the current date and time. Obviously, owners of these devices don’t have to do anything, because NIST keeps the signal updated with leap seconds.

Highly accurate

There are some devices – atomic clocks, etc – that need to maintain accurate time, because they are used to control or monitor astronomically important things, like telescopes, etc. Those machines need to know the time in relation to the progression of the earth through the solar system, so presumably they make good use of the leap seconds to ensure that the time they display is always close to the visible local time.

So, where’s the fuss? What could it possibly benefit to kill the leap second? Is the leap second really causing anyone any confusion? I’d love to know.

NTFS Alternate Data Streams (ADS) & Win2003.

I just noticed a new pair of functions in the Win32 API for Windows Server 2003 – FindFirstStreamW and FindNextStreamW. These are interesting from a security perspective, if for no other reason than that alternate data streams are useful places to hide data.

Before this function, a programmer had to open files with “Backup semantics”, and work his way laboriously through the structure of the streams within the file in order to find out what streams there are. Here’s the sort of code you had to write:

int EnumStreams(const WCHAR *file, StreamEnumProc *func, void *funcarg)
{
    WCHAR wszStreamName[_MAX_PATH+sizeof(WIN32_STREAM_ID)];
    WIN32_STREAM_ID &wsId=*((WIN32_STREAM_ID *)wszStreamName);
    DWORD dwRead, dwStreamHeaderSize, dw1, dw2;
    LPVOID lpContext=NULL;
    BOOL bResult=TRUE;
    HANDLE hFile=CreateFile(file, GENERIC_READ, FILE_SHARE_READ,
        NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
    ZeroMemory(&wsId,sizeof(wsId));
    dwStreamHeaderSize=(LPBYTE)&wsId.cStreamName-(LPBYTE)&wsId;
    while (bResult)
    {
        ZeroMemory(&wsId,sizeof(wsId));
        dwRead=0;
        bResult=BackupRead(hFile, (LPBYTE)&wsId, dwStreamHeaderSize,
                           &dwRead, FALSE, TRUE, &lpContext);
        if (!bResult || dwRead!=dwStreamHeaderSize)
        {
            break;
        }
        dwRead=0;
        if (wsId.dwStreamNameSize+dwStreamHeaderSize>=
            sizeof(wszStreamName))
            return -1;
        bResult=(!wsId.dwStreamNameSize ||
            BackupRead(hFile, (LPBYTE)&wsId.cStreamName[0],
                wsId.dwStreamNameSize, &dwRead, FALSE, TRUE,
                &lpContext));
        if (!bResult || dwRead!=wsId.dwStreamNameSize)
            break;
        if (bResult)
        {
            int nStrLen=wsId.dwStreamNameSize/sizeof(WCHAR);
            wsId.cStreamName[nStrLen]=0;
            func(file, &wsId, funcarg);
            if (wsId.Size.LowPart || wsId.Size.HighPart)
                BackupSeek(hFile, ULONG_MAX, LONG_MAX, &dw1,
                    &dw2, &lpContext);
        }
    }
    BackupRead(hFile, NULL, 0, &dwRead, TRUE, FALSE, &lpContext);
    CloseHandle(hFile);
    if (!bResult)
        return GetLastError();
    return 0;
}

Since the FindFirst/NextStreamW functions are only in Windows Server 2003, you’ll still have to do something like that mess on a Windows XP or previous system.

There are still no tools, however, in the base operating system that allow an IT Professional to search for alternate data streams that might be attached to files on his workstation. So, a while back, I created “sdir”, a program that allows you to list alternate data streams on a file or a directory, or recursively through a directory tree. You can find it at http://www.wftpd.com/downloads.htm

Several people have suggested that alternate data streams (or ADS, as they are often referred to) are ideal for infecting a system such that the virus scanner will not find the virus. That’d be true, except for a couple of things – first, that the virus would still need to arrive on the system using a method that would allow virus scanners to look for virus signatures. The virus would have to travel through a download – which doesn’t have a hidden stream – or an email – which doesn’t have a hidden stream – etc, etc. Second, the virus scanners have already added ADS scanning to their repertoire.