Thursday, June 26, 2003

Canadian Members of Parliament are vowing to fight an amendment to the Copyright Act. From the story in the National Post:
Opponents told the committee the amendment could keep potentially important documentation from a number of prominent Canadians -- R.B. Bennett and Sir Wilfrid Laurier, two former prime ministers, and others -- away from historians and students.

I found this quote both surprising and encouraging. With Eldred's failure to get the Sonny Bono Copyright Term Extension Act declared unconstitutional south of the border (see Eldred v. Ashcroft), it's easy to assume that the people in power don't understand the value of the public domain. Stories like this one buck me up! :-) And our MPs, no less! Woo hoo! Free the mouse!
Boy, if nothing else, this controversy over the University of Calgary's malware-writing course has certainly put the institution on the international map! The Risks Digest Volume 22: Issues 76 and 77 continue the debate.

Tuesday, June 24, 2003

Well, the s**t storm ended today, as everyone knew it eventually would: Today, George Radwanski issued his resignation as the Privacy Commissioner of Canada.

I don't know what the majority of Canadians think about this news, but I've heard a lot of indifference from the people I've talked with. I don't claim to know all that Mr. Radwanski did for our privacy rights, but what I do know impressed me. His fights against video surveillance in Kelowna, BC and Air Canada's opt-out Aeroplan stick out in my mind as shining examples. This man did a lot of good work on behalf of Canadians, despite what the media has focused on. And what of it? A mistake in a filing and a budget that's as big as that of the other four watchdogs combined. So what, I say.

As Mr. Radwanski points out in his statement, few watchdogs have faced the challenges thrown at privacy advocates in the wake of the World Trade Centre attack. He has been out there (especially in the U.S.) making people aware of the consequences of rash policy. The U.S. may have a similar advocate in the future, thanks to Mr. Radwanski's efforts. And let's dispense with the shock surrounding how our government does business; fancy lunches, suppers, etc. are nothing new, and many more would hang by that criterion. I'll take Mr. Radwanski's "When in Rome" attitude over the idealist in the office any day. The important point is that he was getting the message out there! Privacy is a right, and it's no longer guaranteed!

Whatever his failings, the quick execution of Mr. Radwanski's character should give Canadians pause. There are plenty of hooks to dangle your conspiracy theories from, but in the end, it simply proves that no one's character is safe.

Goodbye, Mr. Radwanski. You will be missed.

John L. Jarvis is a writer working out of Ottawa. He can be reached at

Wednesday, June 18, 2003

I'm pleased to say that Bruce Schneier's opinion on malware-writing courses is in line with my own (if a bit harsher). :-) No matter what you think of him, there's no arguing the weight his opinion carries in security circles.

If you're interested in my opinion (and you must be somewhat interested; you're reading this, after all), read my blogs around the beginning of the month.

Monday, June 09, 2003

Movie Review - The Matrix Reloaded

I finally took in The Matrix Reloaded last night. Despite being a big fan of The Matrix (I lost count of how many times I saw it in the theatre, but half a dozen wouldn’t be hyperbole), I didn’t even entertain the idea of going to its opening night. and cookie-cutter “Go big or go home!” theatres have killed the magic of opening night. And once you’ve missed opening night, what’s the rush? My verdict on The Matrix Reloaded? What’s the rush indeed.

Before I comment on the movie, I’ll be honest about two factors that undoubtedly affected my experience: (1) I heard general comments from two people indicating that the movie took some time to ramp up (ranging from half an hour to an hour), and (2) I haven’t watched The Matrix in more than three years. The former had me expecting the action and the story to pick up at some point, and the latter had me expecting the movie to largely stand on its own. Alas, I was disappointed on both counts.

I firmly believe that the popularity of The Matrix had as much to do with its intelligent, fast-paced story as its groundbreaking action sequences. With the exception of Keanu’s ever-wooden presence and the sap between his character and Trinity, the movie worked and moved. The consensus is that The Matrix Reloaded did not move; I would say it twitched, and most often with action, as opposed to a story. The one exception was Neo’s conversation with The Architect.

Of course, by the time Neo made it to the door of light, the audience had given up on seeing the overarching story progress. I suspect most of that philosophical conversation fell on deaf ears. (Lord knows I had to mentally slap myself a few times, and I heard a kid behind me say, “Look! It’s his whole life.”) However, this story is a dichotomy because it isn’t simply a case of padding an hour and a half around a half-hour story; the material that was included seemed to have suffered terribly on the chopping block. For example, what was the point of the Morpheus-Niobe-Lock love triangle? Or Jada Pinkett Smith’s character, for that matter? I can hear her now, “Was all that footage just for the video game?”

These questions really get to the heart of my disappointment with The Matrix Reloaded: I wasn’t engaged. I didn’t care that Zion was in imminent danger, or that Link was struggling to sort out his priorities. I didn’t believe Morpheus’ rhetoric (which really killed the potential of Neo’s return), or Neo and Trinity’s love (O.K., so I didn’t believe it in the first one either… Why do they even attempt that?). Compare that with the first movie, where I feared the agents and wanted those characters to grab that receiver and get the hell out of there; where the Matrix itself was truly horrifying; where Neo’s surviving his first confrontation with an agent was so exhilarating. The truth is that it’s no comparison at all.

So what about the action sequences? Surely they saved the movie, right? Yes and no. I really enjoyed the fight between Neo and Seraph (The Oracle’s guardian). I also enjoyed Trinity’s attempt to get The Keymaker out by motorcycle. However, beyond that, my enjoyment was fleeting: the twins in the parking garage, the whole floor of that building exploding. And these scenes had to compete with fiascos like that Agent-Smith-a-thon. I felt like I was watching the commercial for Star Wars: Knights of the Old Republic all over again! When things got hairy, Neo’s skin lost all its texture, its shadows… They looked like plastic figures! It really annoyed me, knocking me right out of the scene.

Of course, the action sequences weren’t the only source of my annoyance. In fact, this movie’s low of “Kiss me in front of this snazzy urinal or you’ll never find The Keymaker” was beyond annoying; it was really disappointing. From Trinity and Neo’s game of Count-the-sockets to Electric Circus “Live from Zion” to the (cue slimy, French accent) “Let’s see what’s under that dress of yours, yes?” scene, The Matrix Reloaded was often crass. And while that’s to be expected of most movies these days, The Matrix wasn’t like most movies; with scenes like “the woman in red,” it set a classy precedent.

Some may say that my criticisms are unfair, that expecting The Matrix Reloaded to stand on its own is unrealistic. After all, they covered a lot of ground in the first movie; why tie the director’s hands by making him repeat it? My answer to those people is that if this story can’t stand on it own – without the background of the first installment – is it really worth telling? My first thought upon hearing about a Matrix sequel was, “Who wants to watch a story about a god?” In the back of my mind, I knew they would have to come up with a knockout if they hoped to avoid, “Don’t miss our next installment: God runs out of toilet paper… on holiday Monday!” The Matrix Revolutions may be that knockout; we’ll know in a few short months. If so, I suspect that most of The Matrix Reloaded will be remembered as the chaff on an exceptional, two-part story.

John L. Jarvis is a writer working out of Ottawa. He can be reached at

Tuesday, June 03, 2003

Wow! Getting fired for sending inappropriate e-mail at work is nothing new, but how about for just receiving it? This really does smack of a vendetta; after all, it doesn't take a technically-savvy supervisor to ask the employee who complained for a forwarded copy of the offending e-mail message. Yes, said supervisor might be fooled by a forged message, but I'm guessing this hospital employee wouldn't be capable of that. And if they fired her for showing a printed copy of the e-mail message, they should've asked for a witness to corroborate the story.

That aside, if a complaint were filed against me, I'd hope they'd go to the mail server log files before canning me! She was her family's sole provider, for crying out loud!
There's a fiery series (Chapter 2, Chapter 3 and Chapter 4 - I have no idea what happened to the first chapter) on the University of Calgary's virus-writing course at

I was irate after reading the second chapter, all ready to fill this blog with liberal "there shouldn't be any restrictions on registering for university courses." Then the third chapter took the wind out of my sails. I still believe it; it's just a relatively small issue in the face of the United States' evolving view of Canada.

Monday, June 02, 2003

Is it unethical to teach students how to write computer viruses? Part 3 of this saga follows:

From: "John Jarvis"
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing
Date: Monday, June 02, 2003 12:04 AM

----- Original Message -----
From: "M Taylor"
Sent: Sunday, June 01, 2003 1:37 PM
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing

Prove it. Explain how a student (of Dr. Brunnstein's) who has not written a malicious piece software is less equipped to deal with new security threats than the student who wrote a file virus or macro virus (in Dr. Aycock's class).

Obviously I can't prove that. All other education and experience being equal, Dr. Aycock's graduates will have one extra tool in their belts. Will that advantage amount to anything? I don't know, but I don't think it's unethical to teach it.

Explain how having written some malware will help any professional deal with unknown malware in the wild. I argue that having had additional time to study reverse engineering of unknown code/executables is far most useful to deal with new threats in the wild.

And I would agree that reverse engineering capabilities would be invaluable to these students; why is it a question of one or the other? Again, it's just one more option available to the student. You're inundated with information at university, most of which has little direct correlation to your future profession. However, on occasion you surprise yourself with an indirect application, something only clear in hindsight. One of Dr. Aycock's graduates may have one of those moments down the road, but I'm certainly not going to sit here and tell you I can map that connection.

There are basiclly about 20 categories of security vulnerabilities, the bulk of which were known about in the 1970's, and virtually all by 1990. I believe viruses and malware have around 10 attack vectors, the majority of which were written about by Fred Cohen in 1983-86. As a senior undergrad level course I do not expect a lot of novel research to done within this course.

I'll be the first to admit that I've been surprised by how much ground we're rediscovering in this field; however, I find your expectations very presumptuous.

Rehashing of old well-understood malicious software by writing their own implementation does not look towards the horizon, it will be a excerise in programming, possibly even at the scipting / macro language level (e.g. VB, VB for Apps).

I don't believe that this course will "rehash" anything. That's exactly what university courses avoid by teaching theory; it's up to the student to apply it to the state of the art. They may indeed use dated examples or assignments (that's to be seen), but to drive home concepts, not to teach them to write Uber-nimda.

I spend far too much of my professional and personal time fixing "experiments in software", and I do not see a good risk/reward benefit from such an unproven method of teaching that warrents a possibly reckless course of action.

I don't doubt your experience, but it seems that the UoC does see the benefit. How could they go about proving it to your satisfaction? Is it the lab safeguards that you're concerned about, or would nothing short of eras[ing] the student's brains at the end of the course satisfy you?

Sunday, June 01, 2003

The argument over teaching computer virus and malware writing continues on the EFC's talk mailing list:

From: "John Jarvis"
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing
Date: Saturday, May 31, 2003 7:18 PM

----- Original Message -----
From: "M Taylor"
Sent: Saturday, May 31, 2003 6:24 PM
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing

Dr. Brunnstein claims the teaching the writing of malicious software is unethical, not the teaching about malicious software, which is something he himself does.

Yes, I realize that and I don't agree with him. Graduates who do not know how to write malware will not be as effective at combatting it as those who do. It's a question of the level of knowledge we're equipping these students with, and raising that level, as a goal, is not unethical in my mind.

I tend to think that spending time writing malicious software may not be the best way to learn and understand.

But it may be. There's a world of difference between being able to speak to something and being able do it. Most people learn through application.

Just as most security professional do not write new exploits, and I do not think anyone would seriously argue that all security experts should publish new exploits into the public knowledge, especially while the vulnerability is not fixed in the target software. Even the full disclosure movement, such as some authors on the Bugtraq mailing list, has moved to the better security researchers giving reasonable lead times to affected vendors/authors before publishing the mere fact that a vulnerability exists. Fewer researchers publish actual exploits, and most are more concerned with reducing the threat of vulnerable systems.

So, what you're saying is, these graduates will only be good for writing exploits? Or they'll be more inclined than others? Who said anything about publishing exploits in the public domain? None of the course work leaves the lab.

Most security professionals are out there helping organizations defend themselves as best they can today. Of course those guys aren't writing the latest stuff. We need people looking ahead, developing the systems that will protect us from threats that are on the horizon. I don't know that these graduates will be any better at that than Dr. Brunnstein's graduates, but it's worth a try.

As for full disclosure vs. lead time, that's a tangent, and one that we certainly haven't figured out yet. There've been prominent cases of companies squandering reasonable lead times in inter-departmental blame wars.

Understanding malware is something the entire computing/IT community needs more of, but I am not certain that to get there we need more practicing (academic or otherwise) virus writers.

Yes, but should we shut the whole thing down because you aren't certain? This is a worthwhile experiment, in my mind.

I don't think Arson Investigators spend a lot of time setting fires, but do practice examining fires.

My point was that spin doctors *could* have a field day describing the courses, not that the association actually teaches that stuff.