I just found out via Kim duToit that Adam Plumondore was killed in a car bomb explosion.  Adam and his co-worker Walter assisted Eugene Econ with the Precision Rifle Clinic last year. I had a few pictures that were taken by Ry and Michael of the Saturday night dinner during Boomershoot 2004 that I had never put up.  Some of those included pictures of Adam.  I put those up on my photo album a few minutes ago.  We all are saddened by this loss.

Update: See also this blog entry.
Update2: I found another picture and uploaded it here.

In a most pleasant change from normal I didn’t have to drive 150 miles home after work Thursday or Friday.  Barb, Xenia, and Xenia’s friend Sara drove over Thursday night to spend the weekend with me.  This saved me six hours of driving while still getting to be with my family for the weekend. 

I made pancakes yesterday morning for the girls and myself.  We had lunch at the Chinese buffet.  I got discount tickets at work and last night we went to see Finding Neverland. We all cried.  It was a great movie.  So here I sit, in bed, with Barb asleep beside me.  Life is good.

Ry and Stephanie are doing their part in our efforts to make people more comfortable with the recreational use of explosives and firearms.  Ebay seems like as good a place as any to reach the general population.

Thank you!

I help design and implement solutions to improve security of various things against intelligent, determined adversaries.  I think I’m pretty good at it.  But I don’t think I would have envisioned and prevented the dust bunny that took down a network, supporting thousands, for hours.

I was in a meeting this afternoon where we were figuring out how to handle all the different possible failure situations in a communication protocol.  As we progressed I was getting more and more concerned.  The designers were explaining how things would work and I would come up with all these different situations they hadn’t considered.  Things like (not exactly, but close enough to get the point across) if your encryption keys are being updated every ten minutes what happens when your main unit goes down and you have to bring online the back up control center 100 miles away?  How does the backup know what the current keys are?  They hadn’t thought of that.  Lots and lots of examples like that things they hadn’t thought of but were valid concerns.  They were very good with finding solutions to the “hand grenades” I was throwing at them, but it bothered me that I was the only one coming up with the complications.  I may be better than the average person at thinking of all the exceptions to a general rule (my wife sometimes gets angry with me when I do this in “normal conversation”) but I’m far from perfect.  What about all the exceptions I hadn’t thought of?  If two or more people from different perspectives are “lobbing hand grenades” at the proposed solution I would feel a lot better about the robustness of the solution.  I didn’t say anything about it, I just stewed on it, “Who else can we get to take a look at this for vulnerabilities?  Should I hire an outside consultant to review our work?  We really need to make sure we have thought of nearly everything…”  I was right in the middle of those thoughts when one of the guys told a story of something happened at the lab a year or two ago.  I burst out laughing and continued even though they kept insisting it wasn’t funny.  Of course it wasn’t funny to them, they were there until the wee hours of the morning bringing the network back up with thousands of people needing for them to be successful.  All I could think about was that I knew that no matter how many people were brought in or who those people were, they wouldn’t have envisioned a killer dust bunny.

If you have a critical resource like an engine on a airplane or a computer system that your entire company requires to function you go to extraordinary efforts to make sure it doesn’t fail or that you can fail in a graceful manner. A power failure to a system with a UPS can give the computer a few minutes warning the power is going away when the batteries go dead. The computer then gets to shutdown gracefully. If one computer system and/or UPS system fails the second computer system and it’s independent UPS can continue without skipping a beat until the primary can be fixed. But as reliability engineer Ted Yellman from Boeing (and Teltone where I met him) once told me many years ago, “The question usually isn’t how reliable or how many redundant systems you have, it’s how independent they are.” In this case someone was routing some cables through the false ceiling over the computer room for the network at the lab. Some dust came down (technically not a dust bunny, but it makes a better story if it is a dust bunny) and the fast moving air in the computer room pulled the dust into the smoke detector. The smoke detector set off the fire control mechanism which “knew” that you don’t want the electricity on when you turn on the sprinklers. And since designers of the fire control system knew the computers were on a UPS, not just the normal power mains, it shut down the UPS as well. That brought down the all the computers, main and backup, in a fraction of a second without the computers able to gracefully shutdown. Imagine planting your face in the middle of your plate of spaghetti during dinner instead of going to your room and getting in bed to fall asleep. And so it was with a room full of racks filled with computers–splat! It took them something like 170 man hours to bring the system back up. Some of the computers hadn’t been turned off in a year or more and some hard drives and other hardware failed on startup. Other systems had corrupted files systems that were discovered after they booted. The startup procedure had been written before new equipment and software had been installed. It was a nightmare–they had to diagnosis and repair a complex system under time pressure with multiple simultaneous and unknown failures.

So I’m thinking what hope do we have to guard against determined, intelligent adversaries when something as undetermined and unintelligent as a dust bunny can take us out?  And I’m reminded of the joke about computer programmers versus carpenters.

If carpenters build houses like programmers wrote software the first woodpecker that came along would destroy civilization.

Yesterday morning I sent an email to some people at a company I knew was about to release a product using SHA-1.  I got this back last night:

Hi Joe,

 

Just saved me an email I was about to send you a similar one…

We’ve been tracking this since yesterday and evaluating what it means to us.

I’ll keep you posted of our evaluation and next step plan.

Thanks!

I know of two new applications, so new they haven’t even shipped yet, that were going to use SHA-1.  Then this comes out:

SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.

…

This attack builds on previous attacks on SHA-0 and SHA-1, and is a major, major cryptanalytic result. It pretty much puts a bullet into SHA-1 as a hash function for digital signatures (although it doesn’t affect applications such as HMAC where collisions aren’t important).

What he said.  Major, major cryptoanalytic result.  The U.S. government, via NIST, planned to phase out SHA-1 by 2010 anyway.  I imagine this will speed things up a bit:

http://csrc.nist.gov/hash_standards_comments.pdf

…due to advances in technology, NIST plans to phase out of SHA-1 in favor of the larger and stronger hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) by 2010.

See also: http://csrc.nist.gov/CryptoToolkit/tkhash.html

MD5 was partially broken months ago.  These are interesting times we live in.

As some of you know I am involved with biometrics at work.  And it’s possible that some of you put two and two together when you saw my “Quote of the day” yesterday.  One of the proposals I submitted for possible funding yesterday was to further develop a means of eliminating the need for passwords in computer security.  It’s possible that the computer would, in essence, “just know” you when you sat down and started using the computer.  And it could transmit your identity to other computers/websites that you interacted without the need for passwords.  Kind of cool in some ways, huh?  It’s possible that it would make it much harder for someone to get access to your bank account.  It would reduce the ability of “bad guys“ being able to trick someone into giving up their password or mother’s maiden name, etc and making off with their life’s savings.  Websites could be automagically restricted such that your children couldn’t access “adult“ sites even if they got a password from a friend or discovered or guessed yours.  “Transparent security“ could be very cool in some ways.

Among the downsides is that in a totalitarian society it would make it much tougher to deny your involvement in the freedom movement.  Another is that if the system were broken it would be harder to prove it wasn’t you that accessed that kiddy porn site.

From a technological standpoint I’m really excited about the prospect of providing a solution to this problem.  The question is; Can it be made compatible with a free society and the individual fighting for freedom in a totalitarian society?

As I reported on Wednesday Barb was sick over the weekend and I may have become infected.  I was sort of teetering on the edge of being sick all week.  I would feel good in the morning then poor that evening.  I had a pretty stressful day at work yesterday getting a bunch of proposals out just before a deadline.  Two of them were mine the other seven belonged to other people.  The boss man ask a co-worker (who had three) and I to “clean-up” everyone else’s proposals and get them back to him by close of business.  My co-worker and I had things in fairly good shape for our stuff but some of the others were really bad.  I had the unpleasant task of telling one guy that he really needed to just start over.  He wasn’t at all happy and decided to “just drop it”. Another person decided to do just two instead of three after I talked to them about the changes needed.  But they did a good job once I gave them a little guidance.  Anyway we got them all cleaned up and out the door by 17:10 which was acceptable.  Then I had a three hour drive home and I arrived sick.  I wasn’t much better this morning and got worse throughout the day.  Lots of things I should do today and I basically just stayed in bed.  I just got up for a bit to try and do something productive for a little while.  I’ll probably be all better by Monday when I have to go back to work.

A few minutes ago I updated the Boomershoot Bloggers section of the Boomershoot website.  Analog Kid at Random Nuclear Strike has been linking to Boomershoot for the slightest excuse for weeks now and finally made it over the 100 unique referrals to warrant a free entry.  Thank you! 

I received two more boomershoot entries this week.  The event is half full now.  Wish I was feeling well enough to get some more work done on the event.  There are more targets to modify and more experiments to do.

My nephew is in Iraq and came across a rather odd bullet.  Any ideas on what it is made of?  And what kind of gun shoots it?  Wish he had answered more of my questions…

Jason:

…we dug the slugs out of the wall and the humvee tire and they were strange.  Not lead.  Really light and silver.  Steel maybe?  But really light.  Maybe a muj attempt at an armor piercing round made out of steel?  They had a tracer mix in them though.  So that makes me think it’s manufactured.  And I didn’t really get a good look at the weapon system, but it was full auto and I think an RPK.  Which should be a 7.62 round, but the slug was small.

Thoughs?

Joe:

Mild steel bullets were made by the Chinese.  Maybe some others as well.  Have you tried a magnet on it?  The Chinese bullets were 7.62 x 39 and the same weight as lead bullets, but longer to make up for the lower density.

Did they have a jacket?  “The slug was small”.  Small in diameter or length? Did it compress, break into pieces, or not really deform when it hit rubber, wood, brick, or metal?  Compare in weight to your 7.62 or 5.56 rounds or a penny or ideally actually measure the weight in grains or grams.  Actual dimensions and shape would also help determine what they are intended for.  Pictures?

Jason:

The bullet was about the size of a .22.  It didn’t defom much at all when it punched through the hub of the humvee and into the run flat tire.  It was also able to punch through about 18 inches of concret with little or no deforming either.  It was a tracer/ball mix of about 4 to 1.  And fired from what sounded like an AK or RPK. 

…

Okay, got to run.  If you want to ask other people about the round feel free, it’s not classified or anything.