djm's scribble

Life
The last month has been horrendous. Not one, but two OpenSSH vulnerabilities in the space of a week, resulting in three rapid fire releases and a lot of late nights for me and the other developers. The latter vulnerability was particularly embarrassing, as it was code that I reviewed and imported. The fact that it had a number of bugs, including one absolutely obvious and critical one escaped my attention. This resulted in the first portable OpenSSH-specific security problem. These releases are made even less pleasant by the legion of howling trolls and posers who crawl out from under their respective rocks whenever security problems are found in OpenSSH. At least they thicken the skin.

Added to the late nights and stress from OpenSSH issues was a job that is rapidly becoming much more busy. This is good, as I prefer to be busy than left twiddling my fingers, but it is still an adjustment. Anyway, I am learning much and generally enjoying the experience. As I said to a friend “as a professional software developer, I was responsible for creating problems. Now, as a consultant, I solve them!” While this isn’t true from an objective, it sure felt like it at the time :)

Home
The home renovations are slowly and steadily progressing. I thought that chopping down trees was painful, but that is easy going compared to digging their roots out or breaking up and removing concrete. The satisfaction gained from a day of hard physical labour is pretty ephemeral when one considers that the same amount of work could have been accomplished in five minutes with a backhoe.

Reading
Read Ross Anderson’s book Security Engineering. It was quite a good read - very much more in breadth than in depth, though I am probably more familiar than most with the content. Much of the book is written at a moderately high level of abstraction, which I would regard as appropriate for such a dynamic field. There were enough “war stories” peppered throughout the book to keep some of the more abstract sections interesting (I’d have liked a few more, though). Management and procedural issues were relegated to a fairly short section at the end of the book, which doesn’t give them justice (IMO). All that being said, I’d recommend it to anyone involved with IT Security, it provides an good foundation and an exceptional set of references (I have already ordered one of the books off the reference list).

I have just started reading Skunkworks by Ben Rich and Leo Janos. This is the story (from Lockheed Martin’s perspective) of the development of the first stealth fighter. The tone is very “rah-rah” and macho, very removed from any workplace that I have experienced. I don’t know how much of this to chalk up to cultural differences between Australia and the US and how much has to do with doing a job where your work affects the likelihood of people getting killed. I’m about 1/3 of the way through the book, and there is a strong subtext around masculine rights of passage, as the new leader of the Skunkworks tries to live up to the example set by his predecessor. Pretty good read, so far.

A good friend gave me a copy of Fenyman’s so-called “Red Book” of physics lectures. I have been slowly digesting these, a process not aided by my usual habit of bed-time reading (my mind being too tired for physics). These books are a wonderful, intuitive and lively introduction to physics. I’m only a little way in, but I have learned a few things already and obtained new perspectives on things I already thought I knew. Again, well recommended.

How wrong could I be?

Hacking
I have been a little busy working on the imminent 3.7p1 release of OpenSSH. As always, not everything I’d like to be in there made it in time, but a lot of good things did. Please grab a snapshot and help test it. Some other software of mine (pfflowd) has also been added to OpenBSD’s “ports” collection. As such, it will be on the official OpenBSD 3.4 CD (which everyone remotely involved with Internet Security should purchase IMBO).

Life
Good, except for the passing of my Wife’s uncle - who managed to overfill his funeral church (at age 80).

Politics
I was somewhat moved by a speech by Paul Keating (former Prime Minister of Australia). I thought that Keating was an arrogant man whose manner increased the suffering felt by Australians during some very difficult economic times. I voted (my first in a federal election) accordingly. I also feel that he has been since unfairly villified as a source of the same economic trouble and that the current government has taken great care to appropriate credit for the unpopular reforms that helped introduce (e.g. the floating of the Australian dollar). His speech did resonate with me - our current government has our nation rehashing tired old debates (multiculturalism, immigration, public investment vs private ownership) and doing their best to stop new ones emerging. It would be a genuine addition to the poliical debate in this country if someone from the conservative side of politics could make as eloquent and passionate a criticism in reply. Windshuttle, Henderson, et al are simply not up to the intellectual task. Perhaps Manne could, if he were still on their “side”. Keating’s comments on “baseness” in our culture were interesting (given the shameful Tampa debacle of the last election), reminding me a bit of Cicero’s famous “Traitor” speech.

More generally, I am struggling to develop a personal political philosophy. All the great canned political philosophies (Communism, Capitalism, Libertarianism, Anarchism, etc.) appear to rest on deep assumptions as to the precedence accorded to values and actors in the body politic and no one system seems to quit agree with mine. This may be because my values themselves are inconsistent, but they may merely be different. I aspire to the incisive clarity and consistence displayed by the likes of Orwell (here I go again…), but I struggle to reconcile abstract political philosophy against practical considerations. This is probably a result of my poor education in this area.

Movie - Dersu Uzala
This was a Akira Kurosawa’s retelling of Vladimir Arseniev’s diaries of his exploration and relationship with the indigene Dersu Uzala. Through their travels, Kurosawa reflects on themes of friendship, manhood, academic vs practical knowledge and the relationship between man and the environment. Its pace is slow, even by Kurosawa’s standards, but parts are jarringly beautiful. The “Walpurgis night” scene where Dersu is introduced must have inspired every “scary forest” depiction since (including, I suspect, those in The Simpsons). Kurosawa doesn’t besaint either side on the debates touched on in the film, though he predictably ignores women (fortunately he refrains from actively villifying them, as he often did in his Shakespeare-inspired films). Overall 8.1/10 - not Kurosawa’s best, but well worth it.

Movie - Terminator 3
This was much better than I expected, but still rather frustrating. There were many opportunities in the plot for the film to take on some subtextual strength (e.g. why was Judgement Day inevitable?) or to flesh out the characters (who appear to be two dimensional attempts at emulating the archetypical “Flawed Hero” popularised by comic books). Instead, the film spends its time fetishing the Terminatrix’s exploits (pardon the pun). I’ll probably watch this again on DVD when it comes out (rather than crappy Thai-vision VCD I saw it on), maybe the decent looking action sequences will compensate. 6.5/10 - at least it made fun of itself.

Movie - Finding Nemo
I saw this during daylight hours with no shame, thanks to the assistance of an obliging five year old niece. Finding Nemo was good fun, with a lot of very funny gags along the way - the writers obviously pitched a lot of the writing at the inevitable adult audience, to good effect. Not having seen any previews, I didn’t realise that the film was set in (under?) Australia and was thus unprepared for the consequent overdone accents. Fortunately these did not detract from the film much. The pacing of the story was good, but it lost it a little toward the end where Dory’s character became more annoying. The seagulls looked and acted in a way strangely familiar to lovers of Aardman’s animations (”Wallace and Gromit” and “Chicken Run”). Being oestensibly a kid’s movie, I was pretty pleased with the story’s overall moral framework, which some would invariably label “politically correct” if it was presented in a less subtle form. I was pleasantly suprised that the writers did not make the ending too happy and complete, choosing instead to leave the film’s initial sorrow intact (forgive my vagueness, I don’t want to give anything away). Visually, the graphics did not “wow” me as much as previous Pixar films, but this may be a sign that the medium is becoming mature. I did notice some very cool technical tricks, especially the movement of the anenomies and flocking behaviour of the fish. Someone must have done a fair bit of math on these two details alone. 8.5/10 - well worth it.

Movie - 28 days later
One might expect an Englishman to do a good survival horror movie, as the genre was exemplified in “Day of the Triffids” (which scared the hell out of me as a kid, along with the Daleks). 28 days later bears more than a passing resembelance to this classic. The first third of the film is excellent, especially the deserted London. Unfortunately, the middle 1/4 of the film is a little boring and doesn’t add much to the whole. The climax is good and the Danny Boyle gives the film enough subtext to make it worth a little ongoing consideration. 7.8/10 - but then, I do like Zombie films.

Misc
Strange, distrubing stuff from my Sister’s blog.

Gah. My worst fears about not being able to keep any sort of a diary have been vindicated (note the two month gap between this and the last entry). In my defence I will say that I have been very busy. Around the time of my last entry I started a new job at NetStar Networks in their security consulting team. This has worked out well so far, with the work being interesting and challenging.

I have just returned from doing a series of seminars around Australia on intrusion detection systems (IDS). This was very enjoyable - my coworkers did an hour presentation on the history and theory of IDS and how one should go about evaluating such products in one’s own network. Following this I conducted an hour of demonstration of a number of vendors’ products, throwing real and simulated attacks against them and discussing the results (or lack thereof). Although we didn’t set out to set the products against each other, it was soon clear than none of the products we demonstrated performed perfectly. I was a bit surprised and disappointed that Snort didn’t do better - it missed a few of our attacks. More scary was one vendor’s response to the demo (they shall remain nameless). Unhappy that our very. very limited demo showed that their product missed a three year old denial of service attack and, worse, was vulnerable to a five year old evasion technique, the vendor demanded that we cease demonstration of their product (with a threat of legal action if we didn’t). Perhaps it is some vestigial sense of ethics, but as a one-time developer of commercial security products, I would have thought the appropriate response would have been to ask us to provide our environment so they could replicate and fix the problem themselves.

Another cool thing happened to me during my two months away from this page: I met up with a very old friend, whom I had not heard from since he moved to the USA sixteen years ago (Hi Paul!). He actually found me by reading my web-site (presumably after some Googling). I wish I had as much luck in searching for old friends online. Catching up was great fun and it was extremely interesting to evoke old memories and attempt to put the last sixteen years into some communicable narrative.

Other random things: saw Battle Royale (wow), chopped down trees (ouch), too busy to write free software, friends are expecting first child, another friend has first child (Simone and I are the odd ones out now), tried acupuncture (despite my rationalist scepticism, it definitely has an effect), reading more Orwell.

This week is the 100th anniversary of George Orwell’s birthday. I first read 1984 when I was fourteen years old and it crushed my soul. We are still far from escaping the dark potentials that he so brutally described. Earlier in the week I discovered one of his essays on the net: Politics and the English Language. I was shocked when I started reading it - his criticism could have been aimed straight at me and my insipid writing style. Fortunately, he provides practical ways to avoid these blurred modes of word and thought.

My father-in-law and I completed our repairs to our front picket fence today. Now all I need to do is paint it white, produce 2.3 children and middle class domestic bliss will be MINE.

Wow. This is everything annoying about email all rolled into one idiotic program. I take solace in the likelihood that people who send me mail using this abomination would probably be detected as spam.

It has been only one week and already the weblog falters, I am truely bad. On the other hand, according to this very weird spam it may not matter soon.

I just released the code that I have been using to build minature OpenBSD distributions for my flash-based router/firewall. It is largely ripped from OpenBSD’s i386 distrib architecture, but it is likely to be useful to others.

I stand at the edge of my last week of unemployment. My company divison was shut down back in March and I have been blissfully lazy ever since. All this is coming to an end as next Monday I start a new job with NetStar Networks on their security team. This is somewhat of a change from the software development that I have done the last couple of years, but it should be an interesting challenge and will have me out from behind the monitor a fair bit more (woo hoo). It is just as well that I am going back to work as I have a mortgage to pay :)

A couple of weeks ago I insulated my roof. It has been a very cold and dry winter in Melbourne and without insulation our house was like a fridge. No longer. Some advice to the reader in a similar situation: whatever you do, PAY SOMEONE ELSE to do it. Stuffing insulation into a dark, dusty, spider infested roof cavity where you have to lie prone to get it into the corners is just not worth the pain. Did I mention that I am afraid of heights, slightly claustrophobic, alarmed by spiders and allergic to dust? It really is the worst job I have had to do in our renovation adventure, easily beating the digging of stump holes. The insulation has, despite my whinging, done the job and neither I nor my wife are quite so bone cold now.

Continuing the renovation theme, my wife and I weeded our front garden today. The garden grows weeds very nicely, but is not quite ready for planting much just yet. You see, my uncle was kind enough to give me a birthday present of four bags of cow shit and four bales of hay last year. Everyone thought this to be very funny, but they hay has still not completely rotted down. On the other hand, the soil underneath it is looking pretty good - which was the point. Also, having a front yard of gently rotting hay gives me a good excuse to exercise my aversion to gardening. My wife and I are both cursed with an innate ability to kill plants. She used to refer to the line of sick potplants at the front of out old apartment as “death row”.

Today was enjoyable, but tiring. We visited my wife’s aunt, uncle and several cousins. They all live 100-150km away, so we don’t see them very frequently. The uncle, who was too sick to make it to our wedding, was overjoyed to see Simone. My newfound cousins are mostly a little older, but are all very nice and hospitable. Their kids took a liking to me ( probably because I mentioned a few children’s TV shows when I arrived). I think at least one of the kids thought that I was a member of The Wiggles. We ended up at another cousin’s housewarming party where I talked about parenthood and the relative merits of co-ed vs. single sex secondary schools with yet more cousins and friends. They make parenthood sound very fun and easy, though I suspect that the hard years are behind them :)

Simone got talking to a Adelaide police officer, from the drug squad. I was moved by the internal struggle that he described - the tension between the demands of the job, long-time friends who he knows break the law and his earnest desire to be ethical and not hypocritical (”I couldn’t bust someone for a slightly unroadworthy car, because I know that I have driven without a working brakelight”). I am glad that this critical job is being done by someone who struggles with ethical questions, rather than some self-styled Nietzscherian overman who feels that he can do no wrong.

Unfortunately I was designated driver for the evening, so I had to limit my consumption of wine to a trickle, while Simone guzzled cocktails. Well, I have probably done something equivalent to her the last couple of times she has driven for me…

bwahahahaha…

Those wacky Melbourne socialists…

could be…

(posting amusing links is easier than writing at 1am, maybe tomorrow.)