Category: Life, the universe, and everything…

  • 40 years ago today, humanity landed somewhere else than Earth

    40 years ago today, three brave folks and a huge team at NASA (and indeed the entire industrial military might of the USA) travelled to the moon, and two landed somewhere else other than Earth. Neil Armstrong and Buzz Aldrin stepped out for two and a half hours, slept for a bit, ate a meal, and nearly 22 hours later came back to Earth.

    It was an amazing achievement, one that brought all of humanity closer together.

    Once you see the photo of the entire Earth from Apollo 8, national borders become irrelevant, nationalities are irrelevant, and petty politics and hateful people are irrelevant. We’re on this one small blue globe together, and we have to look after it together. Stupid shows like “Border Security” show the small minded at work. One day, and I hope it will be soon, such petty and silly concerns will be as quaint as the feudal towns who were as countries unto themselves not even 600 years ago. We breathe the same air, we’re all related together, we eat the same food. We’re all doomed if we continue to think like four year old children who refuse to share the sand pit because “it’s mine”. Nations, borders and immigration controls cannot be demolished soon enough.

    However, space exploration is best left to robotic missions. They are cheaper, safer, and they can do more. The only manned moon mission that achieved decent science outcomes was Apollo 17, and that was because for the first time, they sent a geek instead of flying jocks. You can teach geeks how to fly, but you can’t teach jocks to be geeks.

    The shuttle has been a total disaster. It has locked us into low earth orbit, does almost no science, costs zillions, killed two crews, and by the time it retires, it will have delivered only a very small number of scientists to a completed ISS, which will hamper ISS’s ability to do science. There’s a good chance after the shuttle retires, science at ISS will stop. This means about $1T has been wasted building a nonsensical space outpost. It has provided a large number of contractors with awesome corporate welfare for over 30 years, but that’s not an “achievement”. It doesn’t get us all thinking how great we are as a species, nor fosters good will amongst all peoples. Boondoggles are like that. We’ve squandered enough life and money on such frivolities.

    Robotic missions like Pioneer, Voyager, Hubble, Galileo, Cassini, Deep Space One, SOHO, Messenger, Mariner, Viking, Pathfinder, Spirit and Opportunity and now the new Herschel mission provide far more science for the buck. Indeed, Hubble has provided more papers than any other observatory and confirmed some of the most intriguing basic properties of the Universe.

    All publicly funded space missions should be robotic missions. Let’s leave people in space to commercial interests as there’s no scientific reason for them to be there. We need to have people in space, but not by public funds. If human space exploration was funded privately, the funds required to put them there will be optimized rather than being solely about corporate welfare to the military industrial complex. Such space ventures should be regulated for sure, because we don’t want another disaster like the Shuttle killing off an exciting new path for humanity, but it should not be publicly funded. We need to dream big and think about how to get there faster. The nearest star is at least 160,000 years away travelling at Helios speeds (which is currently the fastest thing we have ever launched). That’s far too long for an interstellar mission. We’ve got so far to go, and yet we’ve wasted 30 years doing nothing of any real lasting value in low earth orbit. That has to stop. We must move on.

    Don’t get me wrong, I’m all for more space faring activities. One day we will need to get off this planet, and developing those technologies may as well start now. Just not in the failed ISS or back to the future moon missions (Orion / Ares).

  • Soon, there will be one

    Well, what an interesting weekend. A cold, working like a slave, and one of my co-workers is a father for the first time (Congrats, Ty!). But that’s not the most interesting news.

    I will be taking sole ownership of my forum, Aussieveedubbers, sometime this week. This means that I will have to spend a bit more non-existent personal time attending to it.

    This is good and bad news:

    • For UltimaBB, the underpinning forum software, it’s fabulous news. UltimaBB was never released and is now effectively a dead project. My acquisition of AVDS gives me the impetus to make the forum software as good as I can make it. Once I’m complete, as it’ll be by far the most secure PHP forum out there. Very few open source programs ever get the chance of a top to bottom code review. Once I’ve fixed all those issues, I will think about possibly adding a few flashy features and integrate it with CPanel and others, so ISPs can easily deploy it. Obviously that integration will not come cheap. Hopefully, I can start to earn a bit of income from the forum, finally.
    • For OWASP, this is not good news. I have two current projects, the Developer Guide and ESAPI for PHP. I need ESAPI for PHP to be complete to help UltimaBB, so you can guess which of the two projects will get my time.
    • For my personal life, I hope Tanya will forgive me making her do some basic accountancy work. I think it’ll ease her eventual way back into the workforce in a few years, as she is terrific at accountancy, and I would hate to see her lose all her skills for the want of a bit of work here or there. However, it’s not just delegating the book work to my poor suffering wife, it’s also a bit of an ask for the few hours I have to give right now.

    So if you want to help with the Developer Guide, please join the mail list and let us know how much time you have, and where your interests are.

  • Texas School Board of Education ^W Dumbasses

    SHAME! SHAME! SHAME!

    Texas’ Board of Education will be ridiculed by pretty much everyone (including me in this post). I would make more fun of them if the consequence of their gross incompetence didn’t lead directly to irreparable harm to the next ten year’s worth of students who will be unemployable in any medical, bio medical, biology, DNA testing, stem cell research, drug research, geology, paleontology, farming, animal husbandry, crop research, or pretty much any field which requires them to understand the basics – or indeed, fine detail – of evolution.

    Modern medicine, to name but just one field, doesn’t make ANY sense except if evolution is true. It’s as simple as that. There’s about as much doubt regarding evolution as there is doubt the planet is round and is orbiting our sun.

    In my view (and IANAL), these students have due cause to sue the asses off the Board of Education for future earnings loss. What does a specialist medical doctor make per year? Half a million? Million per year? Multiply by all the number of students in each of these fields… whoa that’s a lot of moolah.

    I call on all biology text book authors to refuse to allow “updated” editions to be issued with the forthcoming Texas changes. If the schools can’t buy any books, so be it. They can use the ones they have today that have the facts, instead of sowing doubt. Scientists everywhere should make it incredibly clear to their congress critters and senators, as well as their local Boards of Education, that this decision is about as dumb as they come.

    I’m actually struggling to understand how “educated” folks, charged with the incredible responsibility of educating their state’s children could be so abusive. They should be sacked immediately and this terrible position stuck down for all time.

  • Baby Girl Makes 21,710,079

    Mackenzie is now an Australian citizen. Awesome.

  • The new dark ages are approaching

    When I left for America, I was surprised at how few places accepted electronic payment methods compared to our experience in Australia. By the time we left the USA barely two years later, that was not a problem – almost everywhere took cards.

    Except … now, we’re back in Australia, and things have gone backward. Few places have EFTPOS now. It’s actually hard to pay electronically. Where I live, it’s impossible to buy coffee using EFTPOS, debit or credit cards.

    I bet it is because the local Big 4 banks are cutting their noses off to spite themselves. It leads me to believe we are entering the downward spiral into luddite non-use of electronic payments. We may have seen “peak” EFTPOS rollouts, and it’s all downhill from here.

    We’ll be a cash society soon, and this is incredibly bad. So many things that were once trivial to do require effort to do. It will cut economic output. Folks like me who refuse to pay the “disloyalty” fees at ATMs just will not buy at places without card machines when I run out of cash.

    This is bad news for the local economy, bad news for the banks, and bad news for employment. And bad news for me because I do not get a good cup of coffee and I’m pissed off.

  • Back in Australia

    It’s a bit of a shock coming back. Some things are the same, many things are very different. 

    I had been homesick for some time, and I was glad to meet up with my family and my cat(s). Unfortunately, Greebo either did not remember me or worse, didn’t want to talk to me. Meebles was not to be found. I hope I can look after them again soon. Mackenzie is a universal hit here with everyone, which is awesome. She’s also taking well to so many new faces. 

    The weather changed from being icy and snowy -5 C (20 F) to a scorching 47.9 C (118.2 F), with the worst fires on record raging about 200 km from where we now live. We’re okay – even if so many are not. My thoughts are with those affected by the fires. 

    The sunsets are glorious – I’ve missed them. You can only work this out once you actually viscerally experience something old you fondly remember. The light is different here, and not just because the air is tinged with burnt ash and smoke. 

    The shopping hours shortened, the online shopping options that were in Australia seemed to have disappeared. I remember far longer hours in the past, and many more options … but they’re gone. Oh well. 

    I managed to drive on the correct side of the road with no real issues – still haven’t turned into the wrong lane, although shopping center car parks are still interesting. 

    TV is still crap, and yet awesome. I had missed good news coverage, and weather forecasting that is within 1 degree C of the actual temperature a few days out, and now I have it back. I miss the ease of watching what I want on my Tivos, but then again, I know have a lot more time to do stuff with my family. I always found US TV a bit odd – almost everything was bleeped, but there was no diminuition in the number of bleeps. Tonight, I watched a depression special with one of the world’s best comedians, Stephen Fry, and he dropped the c word, and various other words that would be bleeped in the US. I will not miss the bleeping.

    We’re well on our way to restarting our life here. Life is good.

  • Speaking at OWASP AU

    I will be speaking at OWASP AU 2009 this year!

    I am conducting a one day training session on how to BUILD secure applications using ESAPI and verifying the same using Application Security Verification Standard (OWASP ASVS). If you are a builder, you will want to attend that class, which is very reasonably priced at USD $650. Typical instructor led training is $2500 per day – at least. The main conference is only USD $425, which is a bargain compared to Black Hat or RSA. 

    During the two day main agenda, I will be speaking about why you should be protecting your VALUE, and not worrying so much about THREATS. It’s time we stopped worrying so much about XSS and so on, and move on to something that actually pays some returns. 

    Get your registration fingers happy here:

    See you there!

  • Andrew: Cultural Learnings of America Benefit Glorious Nation of Australia

    Well, it’s time to go home.

    We’re leaving the USA at the end of the month, and should be back in Australia February 2-4.

    It’s going to be a bit busy over the next few weeks whilst we pack, sell all our worldly goods, and organize our new life in Australia.

    I’ve had a blast whilst in the USA, and I’ve been to (at last count) 25 states. I will update my Google Map and find out for sure. I’ve seen lots of places I’d never come to by myself, like Pittsburgh, and loved every bit of it. I’ve been to places that I would have been, and loved it – like Miami, SF, NYC, and DC. Recently, we started exploring Baltimore, but unfortunately, that’s going to be cut short. I hope to make the Air and Space Museum before we go, but the amount of stuff we have to do, including sell the car, may simply preclude that.  

    I don’t have a job lined up yet, so if you are in a position to hire a remote worker or have a position in Melbourne or Geelong, Australia, I’d love to hear from you. You can find me on Linked In, and I’d be happy to give you my current resume.

  • 2009 – The Year of WebAppSec Solutions

    “He who controls the present, controls the past. He who controls the past, controls the future” – Orwell, 1984

    Looking back at the last few years, we’ve made some huge leaps at swatting at issues that bit us in back in the past, but still have not made a huge fundamental leap to controlling the future, and in particular controlling the risk from VALUE attacks, such as phishing, crime ware, and process issues (aka business logic issues).

    I’ve been interested in process issues for a long time as its the easiest way to get VALUE out of a system. One the earliest web app sec attacks was against CDNOW back in the mid 90’s. They preceded and were bigger than Amazon for a long time. Ultimately, Amazon acquired CDNOW. Why? Apparently, they had a cool front end shopping cart, a payment system and a shipping system. Sure enough, the shipping system took a bunch of hidden fields and accepted a “paid=yes” type of flag. So essentially, you could fill in the hidden fields with the CDs you wanted and skip ahead to the ship bit, and get free stuff. End of story, they’re part of Amazon today instead of the other way around. The opportunity cost of being insecure for CDNOW can be measured in billions and will continue to rise as the years go on. That one attack wasn’t the end of the business, but it set them along the path.

    So why in 2009 we do we allow 1995 era attacks to succeed? Why is this stuff not taught at University? Why are the business folks who make really bad decisions allowed to continue on doing the same old, same old, when they should know – do know – that it’s going to cost them a lot more in the long run?

    So let’s look at the lows and highs of 2008:

    Highlights of 2008:

    • PCI compliance starts to hit merchants. They still suck, but they’re unlike before, they’re now going to have to fix their stuff or go out of business
    • PCI 1.2 updated to OWASP Top 10 2007. Awesome. 
    • OWASP has a huge security summit in Portugal, deciding on future directions, and an awesome set of security conferences around the world. I think we have hit critical mass
    • OWASP Application Security Verification Standard Released

    Low lights of 2008:

    • Phishing and malware links as tracked by APWG rose to its highest level ever. 
    • Massive compromise of credit cards continues – vendors continue to flout PCI regulations and common sense.
    • SQL injection attacks launch a million malware infestations

    This basically means that attackers have been noted by the mainstream media and others as attacking VALUE through web apps, and not assets, like pwnage. They don’t care about the mechanism so much as the money. This has been my view for at least five years. I don’t care about if you control a 100,000 bot fleet – your just desserts are coming soon in your very own dawn raid. I do care if you can steal from 95,000,000 folks or defraud thousands with one e-mail.

    “How’s that working out for you?” – Dr Phil McGraw

    When we do something that is clearly not working, it is beyond time to do something different.

    Back in 2002, I was doing security architecture in web apps for some of my more forward thinking clients. I have a draft book in my OWASP folder on Web App Security Architecture I started in 2003. When I moved to the USA in 2006, security architecture was completely off the average US enterprise architect’s radar. Only today are seeing some traction in this space, and not everywhere. 

    Success stories elsewhere

    With air safety, various safety bureaus review crashes and make binding resolutions on pilots, manufacturers and airlines to remediate design issues and human factors. For example, in many cultures, a strong hierarchal society is the norm. More than a few co-pilots have sat meekly by, refusing to override their captain as they plowed straight into the ground. So the airlines were forced to change the human element in the cockpit, forcing sub-ordinates to take control when the situation warranted it.

    Air safety is a poster child for what can and should be done. From the early days when cowboys ruled the roost and many died, to today when only rail is safer per million passenger miles, air travel is one of the safest transport forms, despite being so inherently dangerous from a physics point of view (speed, height, traffic density, weather conditions, etc). We need to emulate air safety. Web application security is at the point where enforceable regulations are in their early days, like seat belts in cars were 50 years ago. 

    We can and must skip 50 years. I’m not a huge fan of heavy handed regulation as I feel it will stifle the next big thing if done wrong, but I think many languages and frameworks are settling around a few major paradigms. We can help them, and they must help their users. 

    We KNOW how to secure those meta-issues. We MUST secure those meta-issues. So here’s my 2009 Wish List:

    Education

    We have to educate those who come after us. This means getting into every CS and Software Engineering course world wide, and ensuring they have at least one mandatory security architecture / software security subject.

    All applications share exactly one feature: security. I don’t think you can be a sound practitioner unless you have at least heard about this most fundamental of issues. It’s like graduating accountants who have not completed Audit 101. It’s completely ridiculous that there’s no equivalent in most CS and software engineering degrees today. 

    I am also only going to speak at developer and architecture conferences. Speaking at security conferences is awesome and I usually get married or drunk or both, but it really doesn’t advance the state of the art. Architects and developers must get on board, and to do so requires their buy in. 

    Eliminate XSS and SQL injection

    We really need to get some basic technical things off the radar, so in 2010 and beyond we can deal with VALUE attacks. To that end, 2009 should be spent encouraging open source and vendors to fix XSS and SQL injection. We know how to fix these things. OWASP’s ESAPI has the canonicalization, input validation, and output encoding features that every application can use. Every modern framework has prepared statements or a safe(r) mechanism than dynamic statements.

    I encourage the OWASP leadership and those in leadership positions to take a stand on these two items. I call on all framework providers to make the simplest possible output mechanism XSS safe. I call on framework providers to deprecate and eliminate dynamic SQL queries, or at least make serious warnings pop up so that folks know that they should not be using those interfaces. I call on open software reporsitories to stop downloads of packages that have open CVE entries. It’s important to bubble up the importance of safe software, and we can’t do this by wishful thinking.  

    We can do this. It’s not a pipe dream. 

    Security Architecture Is a First Class Citizen

    It’s important to start putting security architecture in its place – which is every bit as important as the shiny buttons folks click or the processes businesses use to get stuff done. We cannot hope to eliminate design issues that allow VALUE attacks unless security architecture fu is strong within every organization writing software today. 

    Although history is written by the victors, we’re a long way from victory. Let’s get cracking!

  • Santy Paws Came To Town

    Well, that was a blast. 

    On Wednesday afternoon, I took Baby Girl to see Santy Paws (Satan Claws or Santa Claus, depending on if you believe in Ceiling Cat, Basement Cat, or are just a plain pagan). We stood in line for close to three hours. There was one Santa’s helper on duty, and for obvious reasons (being ridiculously old), he kept on taking breaks. You’d think Columbia Mall would  work out… 

    Thousands of parents  x $13.95 (at least) per sitting == they can afford more than one Santa, and possibly a few hundred Santa’s. 

    But no. Oh well.

    Baby Girl was awesome. She hung out in line with me even though she had little to do, and couldn’t go crawling or exploring – which as every parent knows is a recipe for Total Munchkiness. However, she was happy for the most part – including the first bit when we shuffled past Santa’s Grotto on the way to the entrance some hour or so ahead. She liked what she saw – kids sitting on this old man’s knee and stuff going on. However, looking back now, I think it may have been the computer and the cameras. She’s an awesome geek grrl and loves her gadgets.

    The line went on and on. When she got too antsy, I gave her some puffs and water. After about two hours, she started getting really antsy, trying to stand up and get out of the stroller. So I fed her one of the last pre-made bottles. Awesome baby girl returned. I didn’t know how much longer she’d last as it was well past nap time, but I persevered. She let the slightly older girls just in front of us touch her face and play with her toys on the front of the stroller. Things were looking good, even though I really wished she had taken a nap.

    She was ultra good right until the end. Santa took a break just before me, and as he walked past, Baby Girl started to show the five early signs of being tired, which is being a bit crotchety and rubbing her eyes and being a bit of a munchkin. Oh well, only a few more minutes. 

    So Santa came back, and I quickly put her on his lap thinking this could be a one shot deal, all the while making sure she could see me. I didn’t even let go of her hand before…

    WAAAAAAAAAAHHHHHH!

    Tears started flowing, tears of real fear. She stared at Santa, pulled away towards me, and started gulping air. Not good. Although I secretly (okay, not so secretly) wanted a photo of her crying as that makes an awesome 21st birthday picture, I didn’t want what came next…

    BAAAAAAAAAAARRRRRRRRF!  WAAAAAAAH!

    Santa got it good, and so did baby girl’s costume and the floor. Suffice to say, as she’s growing up fast she doesn’t do inoffensive and small up chucks any more. She did a veritable projectile exorcism of toddler barf. It stunk of mostly digested puffs, milk, lunch and formula. Poor baby girl!

    I took her to the men’s bathroom, which thankfully had a change area, and got her cleaned up and changed into emergency  civilian clothes.

    She looked at me so sadly that I couldn’t take her back to go sit on the old man’ s lap again. I’m reasonably certain Santa was relieved as well.

    So no Christmas photo with Santa this year. Of course, from the Silver Lining in Every Bad Cloud Situation Department: I have an awesome story for her 21st birthday! Yay!