Peter Norvig has exquisite tastes in programming, is a Lisp guru and is also a great Python hacker. Put that together and what do you get? Lis.py, an interpreter for the core of the Lisp dialect Scheme in 96 lines of Python. Norvig mentions Alan Kay’s view of Lisp as “Maxwell’s Equations of Software” in a 2004 interview with Stu Feldman:

SF: If nothing else, Lisp was carefully defined in terms of Lisp.

AK: Yes, that was the big revelation to me when I was in graduate school—when I finally understood that the half page of code on the bottom of page 13 of the Lisp 1.5 manual was Lisp in itself. These were “Maxwell’s Equations of Software!” This is the whole world of programming in a few lines that I can put my hand over.

There is also a companion essay, (How to Write a ((Better) Lisp) Interpreter (in Python)), that shows how to add other features, like macros, quasi-quote, tail recursion optimization and continuations. Sadly, this bloats the code to well over 200 lines.

Ars Technica has an an article on bad Android apps, Some Android apps caught covertly sending GPS data to advertisers.

“The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user’s location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy.”

TaintDroid is an experimental system that “analyses how private information is obtained and released by applications ‘downloaded’ to consumer phones”. A paper on the system will be presented at the 2010 USENIX Symposium on Operating Systems Design and Implementation later this month.

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, William Enck, Peter Gilbert, Byung-gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth, OSDI, October 2010.

The project, Realtime Privacy Monitoring on Smartphones has a good overview site with a FAQ and demo.

This is just one example of a rich and complex area full of trade-offs. We want our systems and devices to be smarter and to really understand us — our preferences, context, activities, interests, intentions, and pretty much everything short of our hopes and dreams. We then want them to use this knowledge to better serve us — selecting music, turing the ringer on and off, alerting us to relevant news, etc. Developing this technology is neither easy nor cheap and the developers have to profit from creating it. Extracting personal information that can be used or sold is one model — just as Google and others do to provide better ad placement on the Web.

Here’s a quote from the Ars Technical article that resonated with me.

“As Google says in its list of best practices that developers should adopt for data collection, providing users with easy access to a clear and unambiguous privacy policy is really important.”

We, and many others, are trying to prepare for the next step — when users can define their own privacy policies and these will be understood and enforced by their devices.

There have been reports over the past weeks about Stuxnet, a new malware system that experts say is designed to seek out and damage certain kinds kind of industrial sites. Some argue that it has already hit and damaged its target.

The Christian Science Monitor published a good overview earlier this week.

“Cyber security experts say they have identified the world’s first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran’s Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.”

The computer security company Symantec has been tracking it for a while and reported back in August that Stuxnet differs from typical Windows oriented in that it is designed to infect the Programmable Logic Controllers used in industrial control systems.

“As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.”

Symantec’s analysis of where Stuxnet has been found supports the theory that it was intended for targets in Iran, as the following map illustrates.

Security expert Frank Rieger writes that Stuxnet is exceptionally well designed and written and starts out on infected USB sticks.

“stuxnet is a so far not seen publicly class of nation-state weapons-grade attack software. It is using four different zero-day exploits, two stolen certificates to get proper insertion into the operating system and a really clever multi-stage propagation mechanism, starting with infected USB-sticks, ending with code insertion into Siemens S7 SPS industrial control systems. One of the Zero-Days is a USB-stick exploit named LNK that works seamlessly to infect the computer the stick is put into, regardless of the Windows operating system version – from the fossil Windows 2000 to the most modern and supposedly secure Windows 7.”

Rieger further argues that evidence suggests that Stuxnet is targeted not at Iran’s Bushehr reactor but at the uranium enrichment plant in Natanz and has already achieved success. To support the last conclusion, he sites a note on Wikileaks about a “a serious, recent, nuclear accident at Natanz” in July 2010.

The New York times has a short article, The 8-Year-Old Programmer, on Kodu, a programming environment intended to help young children learn to write programs.

“Kodu, built by a team at Microsoft’s main campus outside Seattle, is a programming environment that runs on an Xbox 360, using the game console’s controller rather than a keyboard. Instead of typing if/then statements in a syntax that must be memorized — as adult programmers do — the student uses the Xbox controller to pop up menus that contain options from which to choose. Kodu itself resembles a video game, with a point-and-click interface instead of the thousand-lines-of-text coding tools used by grown-ups.”

You can also read about Kodu in the Wikipedia article Kodu Game Lab or Kodu project page at Microsoft Research, from which you can also download a free version for the PC.

Kodu is an rule-based, event-driven language with a simple context free grammar that lets you write rules like “see apple red, move toward quickly”.

Kudu takes it’s place in a long history of programming languages developed to teach programming to children, starting with Logo in the late 1960s. None of these have ever truly caught on, although Logo was taught in many elementary schools in the 1980s. As a computer scientist, I believe that being able to write simple programs for one’s own use will eventually be a skill that all educated people will have, just as being able to basic numerical computations and write effective text are today.

The US Army War College publishes Parameters as the “US Army’s Senior Professional Journal”. The summer issue has an article by Fort Leavenworth analyst Timothy L. Thomas, Google Confronts China’s Three Warfares, that discusses alleged recent Chinese hacking attacks on Google, censorship, Google’s reactions, and other related events. His article concludes:

“The Chinese probes of the world’s cyber domains have not ceased. Recently, Canadian researchers uncovered a massive Chinese espionage campaign targeting India. In their report, Shadow Network, they outlined the massive campaign emanating from Chengdu, China that harvested a huge quantity of data from India’s military and commercial files. China’s activities against Google and India (and their reconnaissance activities in general) portend a much broader pattern, a long-term strategy to hold military and economic assets of various nations hostage. There are a number of Chinese books that support this supposition. Gaining the high ground in international digital competition is becoming a national objective for the Chinese. China’s previous activities certainly afford them a political advantage in any future conflict.”

UMBC’s Cyber Defense Team is looking for new members. In spring 2010 the team competed in the regional Collegiate Cyber Defense Championship for the east coast. In this competition, each team defended a mock corporate network against a horde of professional hackers in a fast-paced, real-time event over the course of two days. The competition is also a great way to network with government agencies and key companies in the security industry.

The UMBC Cyber Defense Team provides a great opportunity to gain practical, hands-on experience in information security, intrusion detection, cybersecurity, and network security. The team practices both penetration and defense of isolated networks similar to real business environments. The group will give introduction presentations 12-1pm on Wednesday, September 15th in ITE 201b and 1-2pm on Thursday, September 16th in ITE 325b.

No experience is required, but you should be motivated to learn about computer networks and systems security. Contact Justin McMillion at jmcmil1 @ umbc.edu for more information.

nextgov reports in ‘Scientists view cybersecurity as an intimidating conundrum’ on the President’s Council of Advisors on Science and Technology recent look at cybersecurity.

“The Internet’s extensive cybersecurity vulnerabilities are so hard to fix that information technology researchers sometimes avoid studying the topic like they were steering clear of the seamy underbelly of a great metropolitan city, top scientists said on Thursday.

Jeannette M. Wing, who served as assistant director of the computer and information science and engineering directorate at the National Science Foundation from 2007 until recently, was called in by the President’s Council of Advisors on Science and Technology to discuss specific areas in the networking and information technology sector that the federal government should be investing research and development funds in.

“I think cybersecurity . . . is the most difficult challenge. And it’s not just a societal and political challenge. It’s a technical challenge,” said Wing, who this summer returned to her post as head of the computer science department at Carnegie Mellon University. “Leadership needs to come from the top since no one sector of government, industry and academia can address this challenge alone.”

PCAST is an advisory group of the nation’s leading scientists and engineers who directly advise the President on areas involving science, technology, and innovation. strengthening our economy and forming policy that works for the American people. PCAST is administered by the Office of Science and Technology Policy (OSTP).

You can see Dr. Wing testamony in this video.

UMBC has established two new graduate programs in cybersecurity education, one leading to a Master’s in Professional Studies (MPS) degree in cybersecurity and another to a graduate certificate in cybersecurity strategy and policy. Both are designed for students and working professionals who aspire to make a difference in the security, stability, and functional agility of the national and global information infrastructure. The programs will begin in January 2011.

Here’s a new one for the DIY movement.

Security researchers J. Alex Haldeman and Ariel Feldman demonstrated PAC-MAC running on a Sequoia voting machine last week at the EVT/WOTE Workshop held at the USENIX Security conference in DC.

Amazingly, they were able to install the game on a Sequoia AVC Edge touch-screen DRE (direct-recording electronic) voting machine without breaking the original tamper-evident seals.

Here’s how they describe what they did on Haldeman’s web site:

“What is the Sequoia AVC Edge?

It’s a touch-screen DRE (direct-recording electronic) voting machine. Like all DREs, it stores votes in a computer memory. In 2008, the AVC Edge was used in 161 jurisdictions with almost 9 million registered voters, including large parts of Louisiana, Missouri, Nevada, and Virginia, according to Verified Voting.

What’s inside the AVC Edge?

It has a 486 SLE processor and 32 MB of RAM—similar specs to a 20-year-old PC. The election software is stored on an internal CompactFlash memory card. Modifying it is as simple as removing the card and inserting it into a PC.

Wouldn’t seals expose any tampering?

We received the machine with the original tamper-evident seals intact. The software can be replaced without breaking any of these seals, simply by removing screws and opening the case.

How did you reprogram the machine?

The original election software used the psOS+ embedded operating system. We reformatted the memory card to boot DOS instead. (Update: Yes, it can also run Linux.) Challenges included remembering how to write a config.sys file and getting software to run without logical block addressing or a math coprocessor. The entire process took three afternoons.”

You can find out more from the presentation slides from the EVT workshop, Practical AVC-Edge CompactFlash Modifications can Amuse Nerds. They sum up their study with the following conclusion.

“In conclusion, we feel our work represents the future of DREs. Now that we know how bad their security is, thousands of DREs will be decommissioned and sold by states over the next several years. Filling our landfills with these machines would be a terrible waste. Fortunately, they can be recycled as arcade machines, providing countless hours of amusement in the basements of the nations’ nerds.”

For the past twenty years, UMBC has had a large number of student majoring in information technology. Our Computer Science and Information Systems programs are among the largest on campus and newer ones like Computer Engineering and Bioinformatics are growing.

Last week I had a chance to look at the latest information from the Department of Education’s National Center for Education Statistics, which is available from NSF’s WebCASPAR site. Data from the IPEDS Completions Survey shows that UMBC is fourth among U.S. research universities in the production of IT degrees and certificates.

In this analysis, I averaged the numbers from the two most recent years available — 2007 and 2008. Here are the top ten in terms of total production in the Carnegie classification categories RU/VH and RU/H.

In this group, UMBC also ranks #2, #21 and #31 for undergraduate, MS and PhD degree production, respectively. Here’s a graph of the top 50 — click through for a larger version.

Looking at all schools shows the University of Phoenix generates the most IT grads, with an average of 3318 students over 2007 and 2008! Here are the top 15 schools of any type.

Some online sites let you use any old five-character string as your password for as long as you like. Others force you to pick a new password every six months and it has to match a complicated set of requirements — at least eight characters, mixed case, containing digits, letters, punctuation and at least one umlaut. Also, it better not contain any substrings that are legal Scrabble words or match any past password you’ve used since the Bush 41 administration.

A recent paper by two researchers from Microsoft concludes that an organization’s usability requirements is the main factor that determines the complexity of its password policy.

Dinei Florencio and Cormac Herley, Where Do Security Policies Come From?, Symposium on Usable Privacy and Security (SOUPS), 14–16 July 2010, Redmond.

We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength.

We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement.

h/t Bruce Schneier