Microsoft Security Updates, 28 July

As previously announced, Microsoft today released two urgent security patches outside of its regular monthly update cycle.  The patches are described in an updated version of the Security Bulletin Summary for July, which also has download links for the installation packages.  (These fixes are also available via Windows Update.)

One of the patches (MS09-035) corrects a flaw in the Active Template Library for Visual Studio, one of Microsoft’s development tools; the associated Security Bulletin gives details.  The second patch (MS09-034) is much more important for most users; it fixes a vulnerability rated Critical for all supported versions of Internet Explorer on all desktop versions of Windows.  Because of the integration of Internet Explorer with other Windows components, and the fact that the update replaces a number of dynamic link library (.DLL) files that may be used by other applications, I recommend installing this update as soon as possible.

Adrien de Beaupré, at the SANS Internet Storm Center, has posted  a note with some further details.

Bacterial Computing

Since my earlier post today dealt with the issue of “intelligent” machines becoming more like living organisms, and humans in particular, it’s perhaps appropriate that this one turns it around, to discuss the use of living organisms as computers.   In a paper that is to appear in the Journal of Biological Engineering, a group of researchers has reported on an experiment in which they genetically engineered E. coli bacteria to solve a particular mathematical problem, the Hamiltonian Path Problem.   (This problem is a special case of the Traveling Salesman problem; it essentially adds the restriction that travel is only possible between adjacent cities.  The problem is of considerable interest in computer science because it is an NP-complete problem.)

The problem that was actually solved in the experiment is not particularly interesting in its own right, because it is quite small.   But the steps that were taken in the process are interesting, in the sense that they illustrate some of the things that are possible in the world of genetic engineering.

In the software world, genetic algorithms use techniques motivated by observations from evolutionary biology to solve search and optimization problems.  The algorithms are essentially heuristics that are intended to arrive at a solution in much the same way that biological evolution leads to the characteristics of a species.  When implemented in software, these algorithms have two fundamental components:

• A representation encoding all possible solutions, corresponding to a biological gene
• A fitness function, that determines the evolutionary success of a solution, paralleling the idea of differential reproductive success in the biological world.

From its starting point, the algorithm produces successive “generations” of solutions, with the most fit solutions in each generation selected to “reproduce”, mimicking the process of natural selection.

What the experimenters here have done is to implement this sort of approach using an actual organism.  They encode the relevant problem data as DNA sequences within the bacteria.  These sequences are then “shuffled” randomly as the bacteria reproduce.  Of course, there has to be some way of measuring the “solution” that has been arrived at.  In the three-node problem studied, this was done (quite cleverly, I think) by encoding the data in genes that produced red and green fluorescent pigments, such that a Hamiltonian path solution would contain both pigments, and fluoresce yellow.  The solutions were later verified by sequencing the DNA.  One can think of this as a very large parallel computer, with literally billions of small processors.

This experiment was really a proof-of-concept project.  As I noted earlier, the specific problem that was solved is very small.  It isn’t clear that there is a really effective way to scale this approach to large problems, and it is the difficulty of solving large problems that makes the NP-complete set interesting in the first place.  But it is a fascinating  demonstration of some of the things that can be done with biological engineering, and perhaps should remind us again that the boundary between our machines and living organisms may not be quite as well defined as we think.

I’m Sorry, Dave

The New York Times carried a report on Saturday on a meeting of computer scientists who, the article says, are concerned that in the not-too-distant future, new technology will enable us to build machines that are smarter than we are:

Impressed and alarmed by advances in artificial intelligence, a group of computer scientists is debating whether there should be limits on research that might lead to loss of human control over computer-based systems that carry a growing share of society’s workload, from waging war to chatting with customers on the phone.

The meeting, which took place at the Asilomar Conference center in Monterey, California, was intended for disscussion of how the growing body of research into the nature of intelligence in general, and artificial intelligence [AI]  in particulat, might be managed:

Their concern is that further advances could create profound social disruptions and even have dangerous consequences.

These concerns are not new, as anyone who saw the movie 2001: A Space Odyssey will know.  More seriously, Joseph Weizenbaum, a computer science professor at MIT and a pioneer in AI research, compared the potential impact of the information technology “revolution” to that of the orignial Industrial Revolution, in his book, Computer Power and Human Reason.  He argued that, just as routine physical labor was devalued by the Industrial Revolution, routine mental labor might be similarly devalued by the IT revolution.  Weizenbaum also was the author of a computer program called ELIZA, which used simple pattern matching and a repertoire of canned response patterns to simulate a psychologist:

PATIENT: My mother hates me.

ELIZA: Who else in your family hates you?

PATIENT: Practically everyone.

ELIZA: Why do you say that?

Weizenbaum was quite disturbed to find that some of his test “patients” became attached to ELIZA, and continued in the attachment even after the program was explained to them.  Some requested a private session with the terminal, so they could discuss more sensitive matters.

The concern about intelligent machines running amok is not new, either.  The great science fiction writer Isaac Aaimov created his Three Laws of Robotics to govern the behavior of robots in his stories:

1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2. A robot must obey any orders given to it by human beings, except where such orders would conflict with the First Law.

3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

One of the concerns that was mentioned by those at the conference was the idea of something like the existing Predator unmanned aircraft, in a fully autonomous version.  Some of the computer viruses and worms that spread so readily via the Internet can be very hard to eradicate; one might suggest, only partially tongue-in-cheek, that they have evolved to have the intelligence of cockroaches.

Although I’m sure that each of us can think of one or more people who might on the whole be profitably replaced by a machine, it doesn’t seem to me, or to the scientists at the meeting, that we need to worry about HAL taking over just yet.  The participants suggest, and I agree, that it is important to have an open discussion of what is possible and what is acceptable, just as is happening with genetic research.  In practice, I suspect the biggest near-term danger is that people will become too reliant on machines, and be lulled into a false sense of security.

I’m sure that as AI technology advances, it will cause some disruptions in our lives; new technologies, if they are of any importance at all, generally do.  Just as with genetic engineering, the knowledge cannot be unlearned, so we will just have to do our best to use it wisely.

Microsoft to Issue Unscheduled Patch

Microsoft has announced that next Tuesday, July 28, they will issue an urgent security patch outside of their normal second-Tuesday-of-the-month schedule.  The major vulnerability to be addressed by this patch affects Internet Explorer and related components in all supported versions of Windows and Internet Explorer.   The risk is rated as Critical for all Windows versions except Windows Server 2003 and 2008.  There is also a fix for a vulnerability in the Visual Studio software development tool, which is rated as a Moderate risk.

Although Microsoft does not say so directly, it is likely that the Critical flaw affects one or more of the dynamic link libraries (.DLL files) that are used by Internet Explorer, and elsewhere in Windows.  If this is the case, it means that the flaw may potentially exist in other, non-Microsoft applications that call these libraries.  Because of this, and because Microsoft does not generally release patches outside its normal monthly schedule just for kicks, I suggest that you try to install this one as soon as you reasonably can.

Brian Krebs, in his “Security Fix” blog at the Washington Post, also has an article about the upcoming patch.

Twitter Attack Analyzed

Many of you may have seen news stories recently describing an attack on the popular micro-blogging service, Twitter.   When the story was first reported, it was originally thought that the extent of the break-in was the compromise of some Twitter employees’ accounts.  The attacker, who went by the pseudonym ‘Hacker Croll’, was apparently dissatisfied by the way the story was being reported, and sent copies of 300+ sensitive internal Twitter documents to the TechCrunch blog.

It [the documents] included things like financial projections and executive meeting notes that contained highly confidential information.

TechCrunch, having had some extended conversations with both Twitter and the attacker, has a post describing the attack in some detail.  It makes for interesting reading, in part because the attacker gained access, bot by discovering some previously unknown security flaw, but by exploiting a combination of well-known areas of weakness.  As the TechCrunch writer, Nik Cubrilovic, put it:

In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target. Some of the more famous information security breaches have relied on nothing more than elementary issues exploited by an attacker with enough time and patience at hand to see their goal through.

In the case of the Twitter attack, it was not a vulnerability in a single application or system that led to the success of the attack; rather, it was the attacker working on the collective weak points of an “ecosystem” of applications that led to his success.

The first step in the attack was to use standard search engines and public sources to compile a collection of data on people associated with Twitter:

In the case of the Twitter attacks, this public information allowed him to create a rich catalog of data that included a list of employee names, their associated email addresses and their roles within the company. Information like birth dates, names of pets and other seemingly innocent pieces of data were also found and logged

Once this was done, the attacker was in a position to try to gain access to one or more individual’s accounts, from which he could work on further compromising security.  In this case, the initial target was a personal GMail account.  As with other Web services, GMail has an “I forgot my password” link, which, also typically, will E-mail you a link to reset your password.  Although there are some secret security questions involved, the answers were possible to guess based on the dossiers of personal information that the attacker had compiled.  (I’ve written before about the inherent weakness of these “secret” questions.)

Giving the user an option to guess the name of a pet in lieu of actually knowing a password is just dramatically shortening the odds for the attacker. The service is essentially telling the attacker: “we understand that guessing passwords is hard, so let us help you narrow it down from potentially millions of combinations to around a dozen, or even better, if you know how to Google, just one”.

Because the E-mail address is used as the identifier at so many Web sites, it creates an implicit “web of trust”, which allows an attacker to steadily expand his penetration of related systems.  The attacker’s job is also made easier by people’s unfortunate but understandable tendency to use the same password for multiple sites. And once a number of E-mail accounts have been compromised, the messages they contain will usually yield a wealth of other information.

I’ve just skimmed the surface of how the attack worked here; if you are interested in security, I think the whole TechCrunch article is worth reading.  There are a couple of key things I think one can take away from this incident.   The first is that Web (or “cloud”) services are still relatively new, and their security arrangements are often untried, or poorly understood by the people that use them.  (How many people really understand all of Facebook‘s priivacy controls ?)   The second is that your security can be compromised by low-tech snooping or user ineptitude at least as well as by the latest vulnerability of the day.  Finally, and perhaps most important, security is not a product; it is a process and a system, and the old adage about chains and weakest links still very much applies.

Wireless Power

Almost everyone who has ever traveled with even a subset of his collection of electronic gizmos knows about the annoyance of carting along power adapters and battery chargers, and of trying to find replacement batteries in an unfamiliar place.  Today’s BBC News has a report from the TED Global Conference about a new technique for the wireless transmission of electric power.

Eric Giler, chief executive of US firm Witricity, showed mobile phones and televisions charging wirelessly at the TED Global conference in Oxford.

He said the system could replace the miles of expensive power cables and billions of disposable batteries.

Of course, the idea of transmitting energy without wires is not new: the microwave over in your kitchen, and radio and TV broadcasts do it all the time.  Both Edison and Tesla explored the idea of wireless power transmission in the early days of electricity.  The trick is to do it without “cooking” everything nearby.

The new system works by using a technique based on magnetic resonance, developed by an MIT physicist, Professor Marin Soljacic.  Both the power transmitter and receiver have antenna coils that are tuned to the same resonant frequency.  The system uses a long wavelength (about 30 meters), so that near field effects (less than one wavelength from the source) predominate; the power is transferred via changes in the magnetic field, and the electric field strength is minimal.  Suitably equipped devices would begin to recharge themselves as soon as they came close to the power transmitter.

Of course, our existing wired electricity infrastructure is not going away anytime soon.  But it’s possible to imagine a range of uses for this technology:

Mr Giler said Witricity’s approach could be used for a range of applications from laptops and phones to implanted medical devices and electric cars.

I use  a laptop a lot more these days than I did a decade ago, even at home, because the advent of WiFi means I don’t have to be tied to a network cable.   Getting rid of the power cord would make things even easier.