Java and Security

Posted on 2014-01-24 by jcs

With respect to Java, I’m pretty much in the same boat as Paul Graham: I’ve never used it but it does seem to have an unpleasant odor. One thing for sure, it’s a major exploit vector and, as a result, I have it disabled on my machines.

On the other hand, lots of people are writing tons of Java code that does useful things so it’s obviously a useful platform. One of the nice things about Java is its “write once” technology. An application, once written will run on an any platform. At least that’s the theory. Even if the actuality falls a bit short of that ideal, it’s still nice to be able to write applications that will—more or less—run on any supported platform.

Now, though, there’s news that should give everyone pause. eWeek is reporting that Java is the primary cause of 91% of cyber attacks. Think about that: nine in ten attacks target Java1. Of course, one could argue that if Java went away some other platform would take it’s place. Perhaps, but that doesn’t let Java off the hook.

There’s an awful lot of software written in Java and as I said above, it’s a useful platform. But there’s no excuse for the execrable state of the Java VM. The situation was bad when Sun was in charge and it doesn’t seem to have improved under Oracle’s aegis. Either Java gets those holes plugged or the platform will die.

Footnotes:

1

These are probably attacks against browser apps written in Java but it’s still shocking. I don’t know why anyone would have Java enabled in their browser.

Posted in General | Tagged | Leave a comment

An Empty Do

Posted on 2014-01-23 by jcs

Back when I was first learning Lisp by reading Paul Graham’s Ansi Common Lisp, Graham mentioned that sometimes you can do useful work with a DO loop having an empty body. I thought that was pretty neat but I’ve never come across a case where it was the natural solution. That is until now. As part of a small project I’m working on, I needed to evaluate a polynomial. The efficient way to do that is to use Horner’s rule.

If you’re a mathematician, you can think of Horner’s rule as being a consequence of synthetic division or, if you’re a programmer, as an application of strength reduction. Taking the programmer’s point of view, we have

a0 + a1x + … + an-1xn-1 + anxn = a0 + x(a1 + x(a2 + … + x(an-1 + anx)….)

Here’s Horner’s rule in Common Lisp: 

(defun horner (a x)
  "Evaluate the polynomial with coefficients in the array a at x."
  (if (= (length a) 1)
      (aref a 0)
      (do* ((k (1- (length a)) (1- k))
            (val (* (aref a k) x) (* (+ val (aref a k)) x)))
           ((<= k 1) (+ val (aref a 0))))))

Notice that the body of the DO is empty. That’s a pretty nice example; the implementation is natural and just what you’d write even if you’d never heard of the technique.

After I wrote that, I thought that you could do the same thing with a for loop in C. It turns out, though, that the semantics are just different enough that it doesn’t work—or at least I couldn’t make it work. The best I could do is 

double horner ( double x, double *a, int deg )
{
    double val;
    int k;

    val = a[ deg ] * x;
    for ( k = deg - 1; k > 0; k-- )
        val = ( val + a[ k ] ) * x;
    return val + a[ 0 ];
}

You can see that they do the same thing in the same way but Lisp is wonderfully concise. Or, I suppose, horribly obscure depending on your point of view.

Update: Fixed formatting in polynomial strength reduction.

Posted in Programming | Tagged , | 1 Comment

How to Stay Safe on the Internet

Posted on 2014-01-22 by jcs

Stephen Haunts has a nice post on remaining private on the Internet. It’s reminiscent of the Prism Break web page that I’ve written about previously. He talks about some of the utilities that you can use out of the box to help maintain your privacy.

Haunts discusses Tor, GnuPG, Tails, TrueCrypt, Silent Circle and other utilities that should be in your toolkit. Take a look at his post and, of course, the Prism-Break page. If we all started using these utilities, privacy in the Internet would increase and we’d all be better off. Except, of course, the NSA.

Posted in General | Tagged | Leave a comment

How is this Legal?

Posted on 2014-01-21 by jcs

I’m in favor of stopping botnets and all but remotely deleting old copies of Tor from users’ machines? I don’t see how Microsoft avoids law suits and criminal complaints. They doubtless have some obscure terms-of-service item covering this but if I were a Microsoft user, I’d be an ex-Microsoft user as soon as I discovered they’d been mucking about with my machine.

Posted in General | Tagged | Leave a comment

Electric Indents

Posted on 2014-01-20 by jcs

Bozhidar Batsov over at Emacs Redux has another post up in his series on features of the upcoming Emacs 24.4. This time, he writes about Emacs Auto-indentation. The feature was added in Emacs 24.1 but in version 24.4 it’s enabled by default and there are, apparently, some additional improvements.

As Batsov remarks, sometimes electric-indent-mode doesn’t play nicely with some other (usually third party) packages. Happily, Emacs 24.4 now has electric-indent-local-mode, which allows you to turn off electric-indent-mode for individual buffers. Thus, all one need do is 

(add-hook 'some-package (lambda () (electric-indent-local-mode -1)))

for each some-package that has problems with electric-indent-mode. It’s a nice feature to be able to disable a global mode for individual buffers.

I’m really enjoying Batsov’s posts on the new features and look forward reading more.

Update: Dmitry Gutov has a great follow on post that explores electric-indent-mode in Emacs 24.4 a bit further.

Posted in General | Tagged | Leave a comment

Ido Vertical Mode

Posted on 2014-01-19 by jcs

A couple of days ago, I mentioned how much I’m enjoying ido-vertical-mode. I first learned about it from Sacha Chua’s chat with Magnar Sveen as I wrote about previously.

Now, serendipitously, Bozhidar Batsov over at the excellent Emacs Redux is also writing about it. Like me, he’s a fan and included an animated gif in his post that shows what ido-vertical-mode looks like in action. Take a look and see if you agree that it makes the information easy to read.

I admit I was a bit skeptical before I started using it. It seemed somehow un-Emacsy—silly, I know—but after using it for a few days I was a convert. Try it out and see if it works for you too.

Posted in General | Tagged | Leave a comment

Judge Rules Against the TSA

Posted on 2014-01-18 by jcs

Back in December, I wrote about the government’s dubious tactics aimed at preventing a woman placed on the no-fly from getting a fair trial on the matter. Because the woman is not a U.S. citizen, the government attempted to keep her from testifying by refusing to give her a visa. Then they attempted to keep her daughter, who is a U.S. citizen, from testifying by placing her on the no-fly list so that she couldn’t get home from visiting her mother in Kuala Lumpur. Then they lied to the judge, denying that any of it had happened.

Now the trial has concluded and the judge has ruled against the TSA on practically every point. The ruling itself is sealed until April to give the government time to appeal but the judge did release a summary. If you’re a U.S. citizen, you can’t help but be outraged at the government’s outlandish behavior in this case.

Update: judged → judge

Posted in General | Leave a comment

Emacs Index Searching

Posted on 2014-01-17 by jcs

Xah Lee has a blog post (2014-01-16) that reminded me of two useful functions that I can never seem to remember: emacs-index-search and elisp-index-search. They allow you to look up a topic in the Emacs or Elisp manuals by querying the index of those manuals. They aren’t bound to any keys by default (which is probably why I always forget about them) but they are available from the Help menu if your Emacs configuration displays it.

Lee uses elisp-index-search enough that he’s mapped it to a function key. That’s probably overkill for me but with the extraordinarily useful combination of ido-vertical-mode and flx-ido I can just type 【Meta+xeis to get the elisp index and 【Meta+xemis to get the Emacs index. That’s easy enough that I don’t mind doing it; now all I have to do is remember to use them.

Posted in General | Tagged | Leave a comment

Schneier on the NSA Threat

Posted on 2014-01-16 by jcs

Yesterday, I wrote about how there is little evidence that the NSA’s mass surveillance is effective. Bruce Schneier has an interesting article up that argues it’s worse than that. Schneier says that the NSA is a threat to our security.

Most of his arguments will be familiar to Irreal readers but the thing that struck me was his depressing assessment of how difficult it will be to fix things. He says that new laws will be largely ineffective because the NSA will apply their infamous “novel interpretations” to them and lie about what they are doing. We need, he says, to work towards security not surveillance.

Put that way, it’s easy to see why he thinks the system will be hard to reform. Just think about all the NSA apologists and their constant mouthing of the agency’s talking points. Most of them, I’m sure, think security and sticking their noses into everyone else’s business are the same thing.

Posted in General | Tagged | Leave a comment

The Usefulness of Mass Surveillance

Posted on 2014-01-15 by jcs

Remember those 50 plus terrorist plots that the NSA mass surveillance was instrumental in stopping? You won’t be surprised to learn that that was yet another lie. Ars Technica is reporting on a New America Foundation study that examined 225 cases in which terrorist suspects were “…recruited by al-Qaeda or a like-minded group or inspired by al-Qaeda’s ideology, and charged in the United States with an act of terrorism since 9/11…” The report concludes that the NSA’s mass surveillance of Americans played an identifyable role in at most 1.8% of the cases.

What were those cases? It turns out that the 1.8% was 4 people involved in a single incident. The “terrorist plot?” The four conspired to donate $8,500 to the Somali terrorist group Al Shabaab. That’s a useful outcome but it’s really rather trivial compared to the massive trodding upon of millions of Americans’ fourth amendment rights.

The report goes on to say that traditional investigative techniques such as tips from the local community, informants and targeted intelligence were responsible for almost all of the government’s success in preventing terrorist attacks. The NSA is fond of saying that if these programs had been in place at the time, they would have stopped the 9/11 attacks. This report casts doubt on that as does the Boston bombing, which the NSA was unable detect despite the non-existent op sec on the part of the perpetrators leaving clues cluttering the ground.

Despite the report and the NSA’s inability to point to any substantial successes in preventing terrorist plots enabled by their mass surveillance, the usual suspects continue to assure us that these programs are there to keep us safe. Really, it’s time everyone stopped listening to them and start demanding reform. Or to put it in a slightly less polite way, those claiming that these programs are necessary should put up or shut up.

Posted in General | Tagged | Leave a comment