djm's scribble

Life
The last month has been horrendous. Not one, but two OpenSSH vulnerabilities in the space of a week, resulting in three rapid fire releases and a lot of late nights for me and the other developers. The latter vulnerability was particularly embarrassing, as it was code that I reviewed and imported. The fact that it had a number of bugs, including one absolutely obvious and critical one escaped my attention. This resulted in the first portable OpenSSH-specific security problem. These releases are made even less pleasant by the legion of howling trolls and posers who crawl out from under their respective rocks whenever security problems are found in OpenSSH. At least they thicken the skin.

Added to the late nights and stress from OpenSSH issues was a job that is rapidly becoming much more busy. This is good, as I prefer to be busy than left twiddling my fingers, but it is still an adjustment. Anyway, I am learning much and generally enjoying the experience. As I said to a friend “as a professional software developer, I was responsible for creating problems. Now, as a consultant, I solve them!” While this isn’t true from an objective, it sure felt like it at the time :)

Home
The home renovations are slowly and steadily progressing. I thought that chopping down trees was painful, but that is easy going compared to digging their roots out or breaking up and removing concrete. The satisfaction gained from a day of hard physical labour is pretty ephemeral when one considers that the same amount of work could have been accomplished in five minutes with a backhoe.

Reading
Read Ross Anderson’s book Security Engineering. It was quite a good read - very much more in breadth than in depth, though I am probably more familiar than most with the content. Much of the book is written at a moderately high level of abstraction, which I would regard as appropriate for such a dynamic field. There were enough “war stories” peppered throughout the book to keep some of the more abstract sections interesting (I’d have liked a few more, though). Management and procedural issues were relegated to a fairly short section at the end of the book, which doesn’t give them justice (IMO). All that being said, I’d recommend it to anyone involved with IT Security, it provides an good foundation and an exceptional set of references (I have already ordered one of the books off the reference list).

I have just started reading Skunkworks by Ben Rich and Leo Janos. This is the story (from Lockheed Martin’s perspective) of the development of the first stealth fighter. The tone is very “rah-rah” and macho, very removed from any workplace that I have experienced. I don’t know how much of this to chalk up to cultural differences between Australia and the US and how much has to do with doing a job where your work affects the likelihood of people getting killed. I’m about 1/3 of the way through the book, and there is a strong subtext around masculine rights of passage, as the new leader of the Skunkworks tries to live up to the example set by his predecessor. Pretty good read, so far.

A good friend gave me a copy of Fenyman’s so-called “Red Book” of physics lectures. I have been slowly digesting these, a process not aided by my usual habit of bed-time reading (my mind being too tired for physics). These books are a wonderful, intuitive and lively introduction to physics. I’m only a little way in, but I have learned a few things already and obtained new perspectives on things I already thought I knew. Again, well recommended.