Ray Gun Robot

I’ve recently been reading Absolute FreeBSD: The Complete Guide to FreeBSD by Michael W Lucas. The book is packed with info about using FreeBSD, mostly from a server perspective; it has a lot of information related to keeping server boxes secure (as it should). In a footnote in Chapter 9, Lucas provides the web address to an article which is no longer available at that address; Archive.org saves the day with a cached version of the article.

Entitled “Reflections on Trusting Trust,” it’s a transcript of a speech given by Ken Thompson, one of the graybeards behind Unix as well as a few other neat technologies including UTF-8. It describes a security breach involving an operating system’s compiler - the program which takes program source code and turns it into an executable program. The speech goes into detail, but to sum it up, the breach works like this.

The attacker modifies the source code of a compiler, adding two new instructions:

1. If the compiler is compiling the Unix login program, and the password provided is a certain password, allow the user full access rights to the computer. Otherwise, behave as normal.

2. If the compiler is compiling the compiler (another copy of itself), add these two new instructions to the compiler.

The attacker then compiles the code to produce a tainted compiler, then removes the two instructions above from the compiler’s source code to cover their tracks. But it doesn’t matter, because from now on, any copies of the login or compiler programs the compiler creates, or that a compiler created by the compiler creates, etc, will be “tainted.” If the compiler is then distributed in binary form to a wide number of systems - say, as an operating system release - then you’ve suddenly got a wide range of systems out in the wild which one hacker can gain root access to with a single password.

Once I wrapped my head around how the attack works, I was struck by both its simplicity and its practicality. Who’s to say such an attack isn’t already happening, really? Maybe not by a malicious hacker, but by a government interested on keeping tabs on its citizens and/or international neighbors…

Or think of other instructions which could be added to the list. If the compiler is compiling PHP or some other interpreter often used for the deployment of web sites, it could add instructions that, whenever the system accepts a number which looks like a credit card number, it emails that number off to the hacker. This would obviously be a huge breach for online shopping sites, and one that, I imagine, they’d have a very hard time to track down themselves.

The gist is that it’s impossible to trust any code that you didn’t write yourself. But, of course, it’s impractical to write an entire functioning computer’s code all by yourself, end to end, and would probably cause more problems than it would fix anyway, since often the bugs and security issues you’ve created which are obvious to others can be easily skipped over or “invisible” to yourself. At some point, you just have to trust - or at least hope - that someone else’s code will be safe and sane.

If I were the paranoid type, I might even lose sleep over this…

Remember a few weeks ago when I posted an article about my blood donation?

A couple weeks later, I got a notice in my mailbox that my postman had tried to drop off a certified letter from the blood bank, but I wasn’t there to receive it (I was working). That made me a little bit nervous. Why would the blood bank need to send me something so securely and confidentially? Maybe they found HIV in my blood, ha ha. No, that couldn’t be it, ha ha ha.

So the next day I swung by the post office and picked up the letter. Darn, it was a thick envelope, as it would be if it included brochures and stuff about how to deal with my recent HIV contraction, ha ha ha. I opened it up and read through the letter. Ah, thank God, they didn’t find HIV in my blood. Phew.

No, they found hepatitis C.

Yeah, and the rest of the envelope was sure enough filled with brochures and stuff about what hep C is and how to deal with it and stuff. Well, they found hep C in their first test, but then tested it again and couldn’t find it the second time, so they think that the first test was a false positive… but here’s a bunch of information about it and maybe you should see a real doctor about this, and also, sorry, but you’re off the donor list for six months even if you don’t have it.

Ha.

Now, you may find this hard to believe, but I don’t exactly live the hardcore life. I don’t shoot meth and I don’t patronize prostitutes. If I really did have the hep, I probably would have got it by giving blood… But, I mean, the letter was kinda clear that I probably didn’t have it, but it was still hella scary, ya know?

So I called the clinic and made an appointment to get blood drawn and tested. I got the phone call with the results today. Would this story end up being a comedy or a tragedy? Was I positive or negative for hepatitis C?

(suspenseful pause)

Well, I was negative, of course. I probably really had nothing to fear all along, but of course it’s good to get a definitive answer to the question, and not have the nagging feeling that maybe, maybe, it was the second test the blood bank did which was actually wrong. So for that it was worth the cost and trouble (especially if my insurance ends up covering the former - jury’s still out on that).

More long tech-related postings coming… eventually, I promise. Until then (and well after), keep giving blood for as long as your local bank lets you…

No major updates recently because my innernets was down at home thanks to a failed Motorola DSL modem. Now that things are working again, I’m going to waste so much time tonight, let me tell you…

I do want to share this, though. There’s a program out there called GlovePIE which basically aids in using various unusual input devices, such as Wii remotes and virtual reality gloves, with the PC. It turns out it has some rather strict and unusual licensing terms. Now this surely isn’t the first piece of software out there that has tried to make some sort of political statement in its licensing terms, but this one is just plain vicious. Check it out:

This software is copyright (c) Carl Kenner, except for scripts by other authors.
By using this software you agree to obey the following license conditions:[…]

• You may not use this software directly or indirectly for any military purpose. This includes, but is not limited to, training, research and development, controlling military hardware, directing military personel, or troop entertainment. You may not use this software anywhere on a military base or vessel. This applies to all versions of PIE.

• You may not export this software to Israel, or use it in Israel (including the occupied territories), until Israel has ended its occupation of the West Bank, Gaza Strip, Lebanon, Syria, and anywhere else it may occupy. If you try to run it in Israel it will give you an error.

• Missionaries may not use this software. It may not be used for any missionary purpose. Or any other genocidal purpose.

…Wow. I’ll have to keep that in mind if I ever become a soldier, missionary or Israeli and ever find a need to use a Power Glove (NSFW language) with my PC.

Dear innernets;

I apologize for my last crappy post. I thought it was really funny at the time. I mean, I was cracking myself up while typing it. Looking at it now, though… hoo boy, yeah, I laid an egg. But, I mean, won’t the internet please just shut up about Twitter for a little bit? Seriously.

I’ve got a more interesting post (to me, anyway, but hey, that’s what blogging’s all about) about a third of the way done and saved in a text file to finish tomorrow (maybe). Before that, I’d like to do a little lazywebbing and ask if anyone out there has ever gone back to college. Now that I’ve got my debts from the first go-round almost paid off, I’m considering heading back to get a degree in something less worthless than friggin’ English Literature. Possibly a CS one; I feel I have a good amount of practical knowledge about development at this point, but I know I’m still lacking a lot of the theoretical stuff they teach in classrooms. I wouldn’t mind taking my Japanese studies beyond the just-for-fun level either.

Anyway, trying to search for info about going back to school seems to return a lot of spammy-looking sites for study-at-home programs and chain trade schools like University of Phoenix… not what I’m looking for at all. I’m talking about going to an actual university campus and taking classes for four hours a day or so. Not quite sure how a job will factor into that just yet, but I think I can find a way somehow.

So please, if you have done this and can share your story, please post in the comments - and then come back, because I’ll likely have some follow-up questions for ya. If you can just link to some sites with more info about the process which aren’t trying to sell me anything, that’d be appreciated too.

This Tuesday, Twitter’s twits tweeted a retweet of a Twitterer’s tweet. The text of the tweet tweeted that Twitter’s common tweets and retweets made the twit in question titter. Ten tweets later, a Twitterer named Travis tweeted that the twit that tweeted the first tragic tweet was a tit. http://tinyurl.com/5blkcl

Personally, after seeing the Fail Whale, I retweeted a retweet of a tweet that Tanya Twittered. Twelve tweets do not a typical twit make, but Tanya tweeted otherwise. http://bit.ly/sfTyx

Taking the drama out of the whole equation, I somehow found emotions I couldn’t summarize in one hundred forty characters. So I lazyweb’d my followers with a tweet asking how many twits’ tweets can truly be tolerable in these Web 2.0 days. Ping @enterprisey on this. http://is.gd/jnHY

Take the time to tweet me a tweet or two and let me know your thoughts.