HTML 5 Now “Feature Complete”

December 20, 2012

Earlier this week, the World Wide Web Consortium [W3C] announced that the definition of HTML 5  and the accompanying Canvas 2D graphics specification are now “feature complete”.

The World Wide Web Consortium (W3C) published today the complete definition of the HTML5 and Canvas 2D specifications. Though not yet W3C standards, these specifications are now feature complete, meaning businesses and developers have a stable target for implementation and planning.

This means that the set of capabilities to be provided is now, essentially, frozen.  These definitions are not yet official Web standards, but they now have “Candidate Recommendation” status; the focus of work going forward will be on testing and checking inter-operability.  Web developers would, ideally, like to have a set of standards that is implemented equally in all browsers.  Having a feature-complete standard means that all the browser makers have a common target to aim for.

During this stage, the W3C HTML Working Group will conduct a variety of activities to ensure that the specifications may be implemented compatibly across browsers, authoring tools, email clients, servers, content management systems, and other Web tools. The group will analyze current HTML5 implementations, establish priorities for test development, and work with the community to develop those tests.

Innovation and creativity on the part of browser makers has helped drive the development of the Web; having standards helps avoid a chaotic mess of incompatible implementations.


Google Updates Chrome for Mac

December 17, 2012

Google has released a new version, 23.0.1271.101 , of its Chrome browser for Mac OS X.  According to the Release Announcement, this fixes a Mac-specific bug in audio processing.  You should get the new version via the built-in update mechanism.


Ken Jennings v. Lore

December 16, 2012

In the course of writing this blog, I’ve referred to articles from quite a few different publications.  Until now, though, I have not referenced Parade magazine — the color supplement that comes in the advertising package with the Sunday Washington Post, and other papers.  It is not, frankly, a publication that I expected to be citing.  But this week, Parade has an article by Ken Jennings, the Jeopardy! game show champion†, addressing, and debunking, some hoary chestnuts of folk wisdom, the kind I refer to as “lore”, that parents often tell their children, without necessarily wondering whether or not they are true.  As Jennings puts it:

That’s the dirty secret of parenting: It’s a big game of Telephone, stretching back through the centuries and delivering garbled, though well-intentioned, medieval bromides to the present.

[“Telephone” is the American name for the game called “Chinese Whispers” in the UK.]

I suspect most readers will have heard most of these precepts at one time or another:

  1. “Stay away from the poinsettia! The leaves are poisonous.”
  2.  “No swimming for an hour after lunch. You’ll cramp up.”
  3. “When you start shaving, the hair will grow in thicker.”
  4. “Don’t eat snow—it’ll make you sick!”
  5. “Drink eight 8-ounce glasses of water a day.”
  6. “It’s too dark in here. You’ll hurt your eyes.”
  7. “You are a special little snowflake.”
  8. “You need hydrogen peroxide on that.”
  9. “Take off the Band-Aid to let your cut air out.”
  10. “Don’t cross your eyes—they’ll get stuck like that!”
  11. “No soda! The sugar makes you hyper.”
  12. “Don’t wake a sleepwalker.”
  13. “Most of your body heat escapes through your head!”
  14. “You’re not fat. You’re just big-boned.”
  15. “If you pick up a baby bird, its mommy will reject it.”

Some of these, such as numbers 3 and 7, are just more or less harmless nonsense.  Others — number 12, on sleepwalking, is an example — embody basically correct conclusions for the wrong reasons.  (In this, they resemble the frequently given advice to get into a car in a lightning storm.)  Others are just nonsense from top to bottom.

For example, I have heard many people express their belief in number 5, the idea that one needs to drink eight 8-ounce glasses of water every day.  As Jennings points out, many of these people have lost sight of the considerable amount of water that we take in every day in the form of food.   I’ve also heard the advice, mentioned in the article, that liquids like coffee or beer, don’t count, because the caffeine or alcohol acts as a diuretic.  At some level, this is true: if you drink a quart of straight whisky at one sitting, you probably will get a bit dehydrated, among other things.  On the other hand, the effect does have something to do with relative amounts: if I put one teaspoon of whisky, or coffee, into ten gallons of water, I am quite confident that you can drink as much of the resulting mixture as you want with no risk of dehydration.

One might argue that none of these adages is especially pernicious, so little harm is done.  But getting people to behave rationally, even once in a while, seems to be hard.  Reinforcement of irrational thinking is hardly constructive.

As Kin Hubbard said, “Tain’t what a man don’t know that hurts him; it’s what he knows that just ain’t so. ”

——

† Ken Jennings is a champion of the TV game show, Jeopardy!, who won more consecutive games (74) than any other player.  He was also one of the two human players involved in the Jeopardy! challenge match with IBM’s Watson computer system.


HVAC Hacking

December 15, 2012

I’ve written here a couple of times about some of the security issues associates with industrial control systems, sometimes called SCADA systems (for supervisory control and data acquisition).  These systems, which are used to control the electrical power grid, air traffic, telecommunications, and many other bits of infrastructure, are often connected to the Internet, though some of them were designed for an era of private networking.  Even those systems developed more recently may carry a legacy of design assumptions and implementation techniques that leads to exploitable security vulnerabilities.   The Stuxnet worm, which damaged nuclear centrifuge facilities in Iran, is perhaps the most notable recent example of an exploit.

The Stuxnet worm attacked control systems made by Siemens, but there are many vendors of these systems.  Ars Technica reports an attack against a heating, ventilation, and air conditioning (HVAC) control system in New Jersey.  The information was obtained from an unclassified FBI memorandum [PDF], published by the Public Intelligence web site.

Hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.

The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney’s Office, and the Internal Revenue Service, among many others.

The systems in question apparently contain a network interface that provides direct access to a GUI administrative application, giving the same access as a logged-in system administrator, without requiring a password.  In effect, the only information needed to take control of the system was the IP address (or a URL that points to it) of the Niagara system.  At the New Jersey firm, and apparently at numerous other places, the system was connected directly to the Internet without a firewall.   Subsequent to the start of the attacks against the New Jersey firm, the vendor, Tridium, and ICS-CERT released two advisories [PDFs] on vulnerabilities in the Niagara system.  According to Tridium, more than 300,000 Niagara control systems are installed world-wide; a search by Ars Technica turned up more than 20,000 connected to the Internet.

As I’ve said before, many systems of this type got there start back in the days before ubiquitous Internet connections, and were originally designed with private, controlled networks in mind.  (Having said that, it is hard to understand how anyone, regardless of circumstances, could think that a completely open administrative interface was a good idea.)  As the article points out, connecting these systems to the Internet provides considerable convenience to their operators:

The incident underscores the prevalence of industrial control systems that are connected to the Internet. Security consultants have long considered the practice to be unsafe. Sadly, they say, the convenience of IT employees get from being able to administer those systems from home or other remote locations often trumps security concerns.

Getting that convenience by means of an Internet connection is cheap, in terms of out-of-pocket costs today, but the longer-term bill might be sizable.  I hope it does not take a disaster to get people’s attention.


IBM Announces Silicon Nanophotonics

December 12, 2012

One of the significant trends in recent computer system design has been the growing use of large-scale parallel processing.  From multiple-core CPUs in PCs to massively parallel systems like Titan at Oak Ridge National Laboratory, currently the world’s fastest supercomputer, and IBM’s Watson system, which won a convincing victory in a challenge match on Jeopardy!, the use of multiple processors has become the technique of choice for getting more processing horsepower.

These systems have achieved impressive levels of performance, but their design has its tricky aspects.  If the collection of processors is to work as one system, there obviously must be some mechanism for communication among them.  In practice, the capacity and speed of these interconnections can limit a system’s potential performance.  Even fiber-optic interconnections can be cumbersome with current technology: at each end, electrical signals must be converted to light pulses, and vice versa, by specialized hardware.

On Monday, IBM announced a new product technology that has the potential to remove some of these bottlenecks.   Building on research work originally described by IBM at the Tokyo SEMICON 2010 conference [presentation PDF], the Silicon Integrated Nanophotonics technology allows the fabrication of a single silicon chip containing both electrical (transistors, capacitors, resistors) and optical (waveguides, photodetectors) elements.

The technology breakthrough allows the integration of different optical components side-by-side with electrical circuits on a single silicon chip, for the first time, in standard 90nm semiconductor fabrication. The new features of the technology include a variety of silicon nanophotonics components, such as modulators, germanium photodetectors and ultra-compact wavelength-division multiplexers to be integrated with high-performance analog and digital CMOS circuitry.

IBM says that the technology allows a single nanophotonic transceiver to transfer data at 25 gigabits per second.  A single chip might incorporate several transceivers, allowing speeds in the terabit per second range, orders of magnitude faster than current interconnect technology.

Probably the more significant aspect of the announcement is that IBM has developed a method of producing these nanophotonic chips using a standard 90 nanometer semiconductor fabrication process.  Although I have not seen any specific figures, this has the potential to provide significantly faster and cheaper interconnections than current technology.

The initial deployments of the technology will probably be in large data centers, supercomputers, and cloud services.  However, if IBM has truly licked the manufacturing problem, there is no reason that the benefits should not, in time, “trickle down” to more everyday devices.

Ars Technica has an article on this announcement.


Google Releases Chrome 23.0.1271.97

December 11, 2012

Not to be outdone by Microsoft or Adobe, Google today released a new stable version, 23.0.1271.97, of its Chrome browser, for Mac OS X, Linux, Windows, and Chrome Frame.  This version incorporates the Flash Player updates released by Adobe today.  It also includes fixes for six identified security vulnerabilities, three of which Google rates as High severity, as well as a number of miscellaneous bug fixes.  For further information, please see the Release Announcement.

Because of the security content of this release, I recommend that you update your systems as soon as you conveniently can.   Windows and Mac users can get the new version via the built-in update mechanism; Linux users should check their distribution’s repositories for the new version.


Flash Player Security Updates

December 11, 2012

Adobe has issued new versions of its Flash Player software, for all platforms, to address three Critical security vulnerabilities.  According to Adobe’s Security Bulletin [APSB12-27], vulnerable versions of the software are:

  • Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.251  and earlier versions for Linux
  • Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.600 and earlier versions for Windows and Macintosh, Android and SDK (includes AIR for iOS

A successful attack employing these vulnerabilities could crash the affected system, and possibly allow the attacker to gain control of it.

The updated version numbers for PC platforms are:

  • Windows: 11.5.502.135
  • Mac OS X: 11.5.502.136
  • Linux:  11.2.202.2

For Android and AIR version numbers, please see the Security Bulletin.

Users of the Flash Player bundled with Google’s Chrome browser or Microsoft’s Internet Explorer 10 should get a browser update that includes the new version via the built-in update mechanism.  Windows, Linux, and Mac OS X users can get the new version from the Flash Player download page.  (Windows users should note that they may need two updates: one for Internet Explorer, and one for any other browser that they may have installed.)  For other versions, please check the Security Bulletin.

You can check the version of Flash Player that you are using by visiting this Adobe page.

Because it is widely installed across multiple platforms, Flash Player has always been an attractive target for the Bad Guys.  I recommend that oyu  update your systems as soon as you conveniently can.


%d bloggers like this: