Archive for June, 2008

Pacers Draft Round-up

Posted on June 29th, 2008 in Entertainment, Sports | No Comments »

Due to two blockbuster trades, the Pacers draft has been a rather confusing mess. The best summary of the draft that I’ve found said this:

When the trades are made official July 9, the Pacers’ will add Rush, Hibbert, Ford, Nesterovic, Baston, Jack, and McRoberts, while they will part ways with O’Neal, Diogu, Bayless, and Jawai — indicating more Pacers will be on their way out in the near future.

When you look at it like that, you can start to compare some of the players on a position by position basis. Let’s start with Diogu and Rush. I think Rush has an amazing upside and would have gone higher in last year’s draft had he not had the ACL injury. I also think that he’s ready to play in the NBA right now. Diogu is another young, athletic player with a lot of upside, and I know a few people who are looking to see big things from him in the near future. Diogu is also a bit taller than Rush and is more of a forward than a 2-guard. Rush may be able to play both positions.

Advantage: Rush

Next let’s look at O’Neal and Hibbert. It’s hard to lose a six-time All Star that still has a lot left in the tank, but O’Neal has big contract that would limit the team’s ability to bring in new talent. The question here really is can Hibbert fill O’Neal’s shoes? I think Hibbert is a beast. I don’t think he’ll every be the player O’Neal was on offense, but he has a good chance at being better than O’Neal on defense. At 7’2″ Hibbert has a few inches on O’Neal and Hibbert’s shot blocking ability at Georgetown was something to behold. Although O’Neal is an excellent defender, I like Hibbert’s prospects in this area. If you compare the players straight-up, O’Neal wins. Still, I think the reason this is a “win” for the Pacers is that they were able to get rid of O’Neal’s contract.

Advantage: O’Neal

Last, let’s look at the point guards, Bayless and Ford. Bayless was predicted as a top 5 pick in the NBA draft, but fell all the way to 11th. It’s obvious that the Pacers are moving away from young potential and towards older, more mature proven talent, so I can see why they would be willing to trade Bayless to a team that wanted a top 5 talent at a bargain price. Of course, Ford is arguably also top 5 talent, but he has been plagued by injuries. It’s obvious that Ford has the skills to play the point guard position at a high level, and he has certainly lacked a consistent team environment throughout his NBA career. I think personally the only way to compare these players is to pick which you would rather have: a highly rated prospect or a injury-plagued proven talent. I think Ford’s injuries have been pretty fluky and I think that at the time they were both drafted Ford had the higher ceiling.

Advantage: Ford

Of course, that leaves the rest of the players in this deal. I think the Pacers picked up competent bench players in Nesterovic and Jack, but I don’t know anything about Baston or Jawai. I think McRoberts should have stayed at Duke for at least one more year to develop a finishing move in the paint and show some ability to avoid collapsing under pressure. Really, the rest of these players are not all that impressive nor are they the focus of the trades.

On the whole, I think the Pacers made out pretty well. I also think that the size and scope of the trades will be an excellent referendum on the quality of Pacers Head Coach Jim O’Brien. He has a bunch of pretty good players, which appear to have been selected just for his style of play and which have been touted as NBA-ready. If he can’t make serious improvements in the next year or two, expect him to be feeling the heat.

Mac OS X Security in Snow Leopard

Posted on June 27th, 2008 in Computer Security, Technology | No Comments »

Recently we have seen several interesting developments in Mac OS X Security. Apple published a Leopard Security configuration guide (pdf) for experienced Mac OS X users. Apress published Foundations of Mac OS X Leopard Security. (Slashdot review here.)

However, I think the most interesting development has been the discussion of a SUID vulnerability by Matasano Chargen, among others. The vulnerability can be easily fixed by:

sudo chmod -R u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app

Along with the announcement that most of the work on the next version of OS X will be under-the-hood improvements, the discussions of what improvements Apple should make to OS X Security have been thriving. In particular, I like Dino Dai Zovi’s editorial on what improvements he would make.

Dino lays out five specific improvements he would make:

  • Real ASLR (address space layout randomization). Library randomization with dyld loaded at a fixed location just doesn’t cut it.
  • Full use of hardware-enforced Non-eXecutable memory (NX). Currently, only the stack segments are enforced to be non-executable. Welcome to the new millennium where buffer overflows aren’t only on the stack.
  • Default 64-bit native execution for any security-sensitive processes. I don’t particularly care that it may waste 5% more memory and a little bit of speed, I want Safari, Mail.app and just about everything else that has security exposure to run as a 64-bit process. Simply because function arguments are passed in registers rather than on the stack, this makes working around ASLR and NX damn near impossible for many exploits.
  • Sandbox policies for Safari, Mail.app, and third-party applications. Code execution vulnerabilities aren’t the only kind of vulnerabilities and good sandbox policies for security-exposed applications can help mitigate the exploitation of code execution and other vulnerabilities in these applications. I love the scheme-based policies, by the way.
  • Mandatory code signing for any kernel extensions. I don’t want to have to worry about kernel rootkits, hyperjacking, or malware infecting existing kernel drivers on disk. Most kernel extensions are from Apple anyway and for the few common 3rd party ones, they should be required to get a code signing certificate.

Overall, this is an excellent list with one glaring omission: improve FileVault. There are many things that could be improved in this area, but I think the first two that come to my mind are integration with Time Machine and the ability to configure encryption for individual folders (other than the home folder) or entire disks. There are other, more technical problems with FileVault (such as the use of CBC mode encryption), but I think these are largely less important than living up to Apple’s reputation for making things easy to use. Right now, FileVault is not easy to use with Time Machine and it doesn’t serve the needs of those who need full disk encryption or those who really only want a few folders to be encrypted.

I would also like to pick a tiny nit on Dino’s list. I think Mandatory code signing for kernel extensions should be something that by default is enabled, but could be turned off manually as a part of the System Preferences by a user. There are still people who want the freedom to do whatever they want with their computer and although this may mean that they have enough rope to hang themselves, they still deserve that freedom.

Free the Jefferson 1

Posted on June 11th, 2008 in Life, Politics and Law | No Comments »

I recently met Brooke Oberwetter, who has become known as the Jefferson 1. She seems like a nice, unassuming person and we had a pleasant conversation, which is why I was surprised to learn that she was facing criminal charges. I have come to believe that her arrest is an excellent example of the war on the unexpected.

She and around 20 of her friends went to the Thomas Jefferson Memorial to celebrate Thomas Jefferson’s birthday by silently dancing and listening to music with earphones of some kind. Surely this is not a usual occurrence and the park police were not expecting 20 people to show up and silently dance around in the middle of the night. However, she was not breaking any laws and she certainly wasn’t terrorizing anything.

Of course, you don’t have to take my word for it because there’s three videos on YouTube that show the event in detail. This incident happens to be getting a lot of publicity because of the circumstances: a young blond woman, the Thomas Jefferson Memorial on Thomas Jefferson’s birthday, the video footage of the event, the fact that all the participants were active in libertarian politics.

If this doesn’t seem like that big of a deal to you, I am not surprised. Violations of civil liberties rarely seem like that big of a deal to the unaffected. The unaffected are, by definition, not directly affected by events like this. Mistakes are made. Police officers are human just like everyone else, but we all lose something when citizens in our country are wrongfully arrested or detained. This event may be useful in illuminating the broader point: the war on the unexpected is a massive waste of time and money — how can we fix this?

That’s certainly something to think about.

Firefox 3 Screencast

Posted on June 9th, 2008 in Computer Security, Technology | No Comments »

Here’s a really nice down-to-earth screencast of the new features in Firefox 3, which will be released this month. I found this through Slashdot, but it is actually quite straightforward and you shouldn’t need a technical background to understand what’s going on here.

The screencast shows a nice overview of the new Firefox, but I wanted to focus on two very important security features that are new in Firefox 3: Website Identity and Malware protection. The website identity feature uses certificates and previous visits to inform the user who runs the website and whether or not the user has been there before. This is critical information that can both improve user confidence and prevent phising attacks.

The malware protection feature attempts to prevent sites from taking advantage of flaws in the browser or add-ons. This feature is similar to the Phising protection added in Firefox 2, but they are also integrating virus scanning and malware protection into the download manager.

The screencast doesn’t talk about Mac features, but since I use a Mac, I will mention the big ones briefly. Firefox 3 takes on more of the Mac user interface conventions when installed on a Mac. One of their big pushes was to make sure that their browser was a native application for each operating system it installed on, so this actually applies to Windows as well. Also, Firefox 3 has significantly improved memory management and speed on the Mac. This was improved across all operating systems, but it was a serious complaint in the Mac community because Safari was so much more efficient than IE or Firefox. For the interested, Daring Fireball has a much more detailed coverage of Firefox 3 for the Mac.

Obviously, I can’t cover all the features in a new release of something like Firefox with a single blog post, so if you want more information I recommend checking out lifehacker’s top ten list of new Firefox features. For those who are of a more technical persuasion and wanting more information, you can check out the Firefox 3 Product Requirements document here. Also for the serious geek, check out this post (somewhat old now) on Firefox 3 Memory Usage improvements.

[Edit: There's an excellent "Field Guide to Firefox 3" post here that explains all anyone would want to know and more about the new version of Firefox, which is released tomorrow, June 17th.]

John McCain and Warrantless Wiretapping

Posted on June 4th, 2008 in Politics and Law, Technology | No Comments »

Threat Level is reporting that John McCain would continue the Bush administration’s policies of warrantless wiretapping. For the uninitiated: The NSA has conducted warrantless surveillance of Americans with the help of some telephone companies such as AT&T. I have previously blogged about whether AT&T should be retroactively granted immunity for the actions. McCain apparently now supports this type of action. McCain’s position on this topic hasn’t always been very clear. Cory Doctorow believes that this is pretty much exactly the kind of intrusion the founding fathers were hoping to avoid with that whole Constitution thing.

Personally, I think the politics are not as important as the technological concerns. Wiretapping isn’t as simple as it may seem and there are real technical challenges and security risks introduced by these systems. For example, every surveillance technique we use is a potential technique that our enemies could use against us. (The founding fathers might say that the government itself might use it against us.) For a detailed list of risks, I highly recommend reading the paper described by Matt Blaze in this post on wiretap risks.