Thursday, June 26, 2003

Canadian Members of Parliament are vowing to fight an amendment to the Copyright Act. From the story in the National Post:
Opponents told the committee the amendment could keep potentially important documentation from a number of prominent Canadians -- R.B. Bennett and Sir Wilfrid Laurier, two former prime ministers, and others -- away from historians and students.

I found this quote both surprising and encouraging. With Eldred's failure to get the Sonny Bono Copyright Term Extension Act declared unconstitutional south of the border (see Eldred v. Ashcroft), it's easy to assume that the people in power don't understand the value of the public domain. Stories like this one buck me up! :-) And our MPs, no less! Woo hoo! Free the mouse!
Boy, if nothing else, this controversy over the University of Calgary's malware-writing course has certainly put the institution on the international map! The Risks Digest Volume 22: Issues 76 and 77 continue the debate.

Tuesday, June 24, 2003

Well, the s**t storm ended today, as everyone knew it eventually would: Today, George Radwanski issued his resignation as the Privacy Commissioner of Canada.

I don't know what the majority of Canadians think about this news, but I've heard a lot of indifference from the people I've talked with. I don't claim to know all that Mr. Radwanski did for our privacy rights, but what I do know impressed me. His fights against video surveillance in Kelowna, BC and Air Canada's opt-out Aeroplan stick out in my mind as shining examples. This man did a lot of good work on behalf of Canadians, despite what the media has focused on. And what of it? A mistake in a filing and a budget that's as big as that of the other four watchdogs combined. So what, I say.

As Mr. Radwanski points out in his statement, few watchdogs have faced the challenges thrown at privacy advocates in the wake of the World Trade Centre attack. He has been out there (especially in the U.S.) making people aware of the consequences of rash policy. The U.S. may have a similar advocate in the future, thanks to Mr. Radwanski's efforts. And let's dispense with the shock surrounding how our government does business; fancy lunches, suppers, etc. are nothing new, and many more would hang by that criterion. I'll take Mr. Radwanski's "When in Rome" attitude over the idealist in the office any day. The important point is that he was getting the message out there! Privacy is a right, and it's no longer guaranteed!

Whatever his failings, the quick execution of Mr. Radwanski's character should give Canadians pause. There are plenty of hooks to dangle your conspiracy theories from, but in the end, it simply proves that no one's character is safe.

Goodbye, Mr. Radwanski. You will be missed.

John L. Jarvis is a writer working out of Ottawa. He can be reached at john_l_jarvis@hotmail.com.

Wednesday, June 18, 2003

I'm pleased to say that Bruce Schneier's opinion on malware-writing courses is in line with my own (if a bit harsher). :-) No matter what you think of him, there's no arguing the weight his opinion carries in security circles.

If you're interested in my opinion (and you must be somewhat interested; you're reading this, after all), read my blogs around the beginning of the month.

Monday, June 09, 2003

Movie Review - The Matrix Reloaded

I finally took in The Matrix Reloaded last night. Despite being a big fan of The Matrix (I lost count of how many times I saw it in the theatre, but half a dozen wouldn’t be hyperbole), I didn’t even entertain the idea of going to its opening night. Movietickets.com and cookie-cutter “Go big or go home!” theatres have killed the magic of opening night. And once you’ve missed opening night, what’s the rush? My verdict on The Matrix Reloaded? What’s the rush indeed.

Before I comment on the movie, I’ll be honest about two factors that undoubtedly affected my experience: (1) I heard general comments from two people indicating that the movie took some time to ramp up (ranging from half an hour to an hour), and (2) I haven’t watched The Matrix in more than three years. The former had me expecting the action and the story to pick up at some point, and the latter had me expecting the movie to largely stand on its own. Alas, I was disappointed on both counts.

I firmly believe that the popularity of The Matrix had as much to do with its intelligent, fast-paced story as its groundbreaking action sequences. With the exception of Keanu’s ever-wooden presence and the sap between his character and Trinity, the movie worked and moved. The consensus is that The Matrix Reloaded did not move; I would say it twitched, and most often with action, as opposed to a story. The one exception was Neo’s conversation with The Architect.

Of course, by the time Neo made it to the door of light, the audience had given up on seeing the overarching story progress. I suspect most of that philosophical conversation fell on deaf ears. (Lord knows I had to mentally slap myself a few times, and I heard a kid behind me say, “Look! It’s his whole life.”) However, this story is a dichotomy because it isn’t simply a case of padding an hour and a half around a half-hour story; the material that was included seemed to have suffered terribly on the chopping block. For example, what was the point of the Morpheus-Niobe-Lock love triangle? Or Jada Pinkett Smith’s character, for that matter? I can hear her now, “Was all that footage just for the video game?”

These questions really get to the heart of my disappointment with The Matrix Reloaded: I wasn’t engaged. I didn’t care that Zion was in imminent danger, or that Link was struggling to sort out his priorities. I didn’t believe Morpheus’ rhetoric (which really killed the potential of Neo’s return), or Neo and Trinity’s love (O.K., so I didn’t believe it in the first one either… Why do they even attempt that?). Compare that with the first movie, where I feared the agents and wanted those characters to grab that receiver and get the hell out of there; where the Matrix itself was truly horrifying; where Neo’s surviving his first confrontation with an agent was so exhilarating. The truth is that it’s no comparison at all.

So what about the action sequences? Surely they saved the movie, right? Yes and no. I really enjoyed the fight between Neo and Seraph (The Oracle’s guardian). I also enjoyed Trinity’s attempt to get The Keymaker out by motorcycle. However, beyond that, my enjoyment was fleeting: the twins in the parking garage, the whole floor of that building exploding. And these scenes had to compete with fiascos like that Agent-Smith-a-thon. I felt like I was watching the commercial for Star Wars: Knights of the Old Republic all over again! When things got hairy, Neo’s skin lost all its texture, its shadows… They looked like plastic figures! It really annoyed me, knocking me right out of the scene.

Of course, the action sequences weren’t the only source of my annoyance. In fact, this movie’s low of “Kiss me in front of this snazzy urinal or you’ll never find The Keymaker” was beyond annoying; it was really disappointing. From Trinity and Neo’s game of Count-the-sockets to Electric Circus “Live from Zion” to the (cue slimy, French accent) “Let’s see what’s under that dress of yours, yes?” scene, The Matrix Reloaded was often crass. And while that’s to be expected of most movies these days, The Matrix wasn’t like most movies; with scenes like “the woman in red,” it set a classy precedent.

Some may say that my criticisms are unfair, that expecting The Matrix Reloaded to stand on its own is unrealistic. After all, they covered a lot of ground in the first movie; why tie the director’s hands by making him repeat it? My answer to those people is that if this story can’t stand on it own – without the background of the first installment – is it really worth telling? My first thought upon hearing about a Matrix sequel was, “Who wants to watch a story about a god?” In the back of my mind, I knew they would have to come up with a knockout if they hoped to avoid, “Don’t miss our next installment: God runs out of toilet paper… on holiday Monday!” The Matrix Revolutions may be that knockout; we’ll know in a few short months. If so, I suspect that most of The Matrix Reloaded will be remembered as the chaff on an exceptional, two-part story.

John L. Jarvis is a writer working out of Ottawa. He can be reached at john_l_jarvis@hotmail.com.

Tuesday, June 03, 2003

Wow! Getting fired for sending inappropriate e-mail at work is nothing new, but how about for just receiving it? This really does smack of a vendetta; after all, it doesn't take a technically-savvy supervisor to ask the employee who complained for a forwarded copy of the offending e-mail message. Yes, said supervisor might be fooled by a forged message, but I'm guessing this hospital employee wouldn't be capable of that. And if they fired her for showing a printed copy of the e-mail message, they should've asked for a witness to corroborate the story.

That aside, if a complaint were filed against me, I'd hope they'd go to the mail server log files before canning me! She was her family's sole provider, for crying out loud!
There's a fiery series (Chapter 2, Chapter 3 and Chapter 4 - I have no idea what happened to the first chapter) on the University of Calgary's virus-writing course at vmyths.com.

I was irate after reading the second chapter, all ready to fill this blog with liberal "there shouldn't be any restrictions on registering for university courses." Then the third chapter took the wind out of my sails. I still believe it; it's just a relatively small issue in the face of the United States' evolving view of Canada.

Monday, June 02, 2003

Is it unethical to teach students how to write computer viruses? Part 3 of this saga follows:

From: "John Jarvis"
To: efc-talk@efc.ca
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing
Date: Monday, June 02, 2003 12:04 AM

----- Original Message -----
From: "M Taylor"
To: efc-talk@efc.ca
Sent: Sunday, June 01, 2003 1:37 PM
Subject: Re: [EFC-Talk] University of Calgary going to teach virus writing

Prove it. Explain how a student (of Dr. Brunnstein's) who has not written a malicious piece software is less equipped to deal with new security threats than the student who wrote a file virus or macro virus (in Dr. Aycock's class).


Obviously I can't prove that. All other education and experience being equal, Dr. Aycock's graduates will have one extra tool in their belts. Will that advantage amount to anything? I don't know, but I don't think it's unethical to teach it.

Explain how having written some malware will help any professional deal with unknown malware in the wild. I argue that having had additional time to study reverse engineering of unknown code/executables is far most useful to deal with new threats in the wild.

And I would agree that reverse engineering capabilities would be invaluable to these students; why is it a question of one or the other? Again, it's just one more option available to the student. You're inundated with information at university, most of which has little direct correlation to your future profession. However, on occasion you surprise yourself with an indirect application, something only clear in hindsight. One of Dr. Aycock's graduates may have one of those moments down the road, but I'm certainly not going to sit here and tell you I can map that connection.

There are basiclly about 20 categories of security vulnerabilities, the bulk of which were known about in the 1970's, and virtually all by 1990. I believe viruses and malware have around 10 attack vectors, the majority of which were written about by Fred Cohen in 1983-86. As a senior undergrad level course I do not expect a lot of novel research to done within this course.

I'll be the first to admit that I've been surprised by how much ground we're rediscovering in this field; however, I find your expectations very presumptuous.

Rehashing of old well-understood malicious software by writing their own implementation does not look towards the horizon, it will be a excerise in programming, possibly even at the scipting / macro language level (e.g. VB, VB for Apps).

I don't believe that this course will "rehash" anything. That's exactly what university courses avoid by teaching theory; it's up to the student to apply it to the state of the art. They may indeed use dated examples or assignments (that's to be seen), but to drive home concepts, not to teach them to write Uber-nimda.

I spend far too much of my professional and personal time fixing "experiments in software", and I do not see a good risk/reward benefit from such an unproven method of teaching that warrents a possibly reckless course of action.

I don't doubt your experience, but it seems that the UoC does see the benefit. How could they go about proving it to your satisfaction? Is it the lab safeguards that you're concerned about, or would nothing short of eras[ing] the student's brains at the end of the course satisfy you?