Buffer Overflows and History: a request


One of my long-term interests in security is the ongoing cost of secrecy. My current favorite example is the stack smashing buffer overflow. These were known and understood no later than 1972, and clearly documented in the Computer Security Technology Planning Study:

The code performing this function does not check the source and destination addresses properly, permitting portions of the monitor to be overlaid by the user. This can be used to inject code into the monitor that will permit the user to seize control of the machine. (Page 61)

I believe that more open discussion of the technique by Aleph One led to a variety of defensive techniques getting baked into compilers and operating systems. Those defenses are now widespread, and it’s getting hard to find a stack smashing attack 10 or so years later. Had we not let the problem fester in secret, we’d be better off.

I’ve been told that the Bendix G-20 and the Burroughs B5500 had hardware level protection against buffer overflows as an intentional security mechanism. That is, there was an understanding that user supplied data could alter the flow of control.

I’m wondering if this is documented as clearly as the statement in the Security Technology Planning Study. It is very clear what the attack is and what the impact is. I’ve spent some time looking for a similarly clear published statement about one or the other of those machines. (Or heck, even a clear statement of the stack smashing attacks, rather than fuzzy statements about problems.)

Can you help me find such a thing?

Photo: Overflowing Glass 3, by nosheep on Stock.xchng.
[Update: We’ve got very interesting debate flowing in the comments.]

Help fund historic computers at Bletchley Park

transport for London.jpg

Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world’s first computers. (If you pick the right set of adjectives, you can say “first.” Those adjectives are apparently, “electronic” and “programmable.”) It has been rebuilt over the last fourteen years by a dedicated team, who have managed to figure out how it was constructed despite all the plans and actual machines having been dismantled.

Of course, keeping such things running requires cash, and Bletchley Park has been scrambling for it for years now. The BBC reports that IBM and PGP have started a consortium of high-tech companies to help fund the museum, starting with £57,000 (which appears to be what the exchange rate is on $100,000). PGP has also set up a web page for contributions through PayPal at http://www.pgp.com/stationx, and if you contribute at least £25 (these days actually less than $50), you get a limited-edition t-shirt complete with a cryptographic message on it.

An interesting facet of the news is that Bletchley Park is a British site and the companies starting this funding initiative are each American companies. Additionally, while PGP is an encryption company and thus has a connection to Bletchley Park as a codebreaking organization, one of the major points that PGP and IBM are making is that Bletchley Park is indeed a birthplace (if not the birthplace) of computing in general.

This is an interesting viewpoint, particularly if you consider the connection of Alan Turing himself. Turing’s impact on computing in general is more than his specific contributions to computers — he was a mathematician far more than an engineer. He was involved in designing Colossus, but the real credit goes to Tommy Flowers, who actually built the thing.

If we look at the history of computing, an interesting thing seems to have happened. The Allies built Colossus during the war, and then when the war ended agreed to forget about it. The Colossi were all smashed, but many people involved went elsewhere and took what they learned from Colossus to make all the early computers that seemed to have names that end in “-IAC.”

(A major exception is the work of Konrad Zuse, who not only built mechanical programmable computers before these electronic ones, but some early electronic ones, as well.)

This outgrowth from Colossus also seems to include the work that turned IBM from being a company that primarily made punched cards and typewriters to one that made computers. It is thus nice to see IBM the computing giant pointing to Colossus and Bletchley as a piece of history worth saving along with the cryptographers at PGP. It is their history, too.

I think this dual parentage makes Bletchley Park doubly worth saving. The information economy has computers and information security at its core, and Colossus sits at the origins of both. Please join us in helping save the history of the information society.

This Is Not Writing; You Are Not Reading

The Paper of Record has a hilarious article, “Literacy Debate: Online, R U Really Reading?” which asks important questions about what Those Darn Kids are doing — spending their time using a mixture of hot media and cold media delivered to them over the internets.

I’ll get right to the point before I start ridiculing the ridiculous, and answer the question. No. Of course not. It’s not really reading. This is not text. It is not the product of hot lead type lovingly smearing a mix of kerosene and soot over wood pulp. It’s a bunch of pixels, and those pixels are whispering directly into your brain. You are not reading, you’re hearing my snarky voice directly massaging your neurons. That doesn’t happen when you read. People don’t see things or hear things when they read. Ask Anne Fadiman if you don’t believe me. She knows.

Let’s look at some of the statements in the article:

Few who believe in the potential of the Web deny the value of books. But they argue that it is unrealistic to expect all children to read “To Kill a Mockingbird??? or “Pride and Prejudice??? for fun.

It is unrealistic to expect any children to read Austen. Austen is arguably the second best writer in all of English, but she requires emotional experiences that children do not have. Pride and Prejudice is no more children’s reading than 1984 is. Trust me on this, I know. I read 1984 when I was ten, and when I re-read it in college, I was gobsmacked to learn that there is sex in it.

Some traditionalists warn that digital reading is the intellectual equivalent of empty calories. Often, they argue, writers on the Internet employ a cryptic argot that vexes teachers and parents. Zigzagging through a cornucopia of words, pictures, video and sounds, they say, distracts more than strengthens readers.

They said pretty much the same about Dickens. Until relatively recently, no serious scholar of literature (read college professor) would admit to reading Dickens. Personally, I agree. These days he’s considered a classic, and the non-serious scholars won’t admit to reading him.

Last fall the National Endowment for the Arts issued a sobering report linking flat or declining national reading test scores among teenagers with the slump in the proportion of adolescents who said they read for fun.

And of course we can fix this by denigrating what they do read, as opposed to finding things for them worth reading.

“Whatever the benefits of newer electronic media,??? Dana Gioia, the chairman of the N.E.A., wrote in the report’s introduction, “they provide no measurable substitute for the intellectual and personal development initiated and sustained by frequent reading.???

I’ll do my part. I resolve to start writing my blog posts, okay? Do you want them in printing or copperplate?

[Synopsis: Nadia’s mother tries to instill a love of books in Nadia. Nadia does not respond until they get a computer, when Nadia gives up TV for fanfic.]

Now [Nadia] regularly reads stories that run as long as 45 Web pages. Many of them have elliptical plots and are sprinkled with spelling and grammatical errors.

Which the masters of modern literature such as Pynchon and Joyce would never do. Austen never had elliptical plots, they were circular, and she was merely eccentric.

Nadia said she wanted to major in English at college and someday hopes to be published. She does not see a problem with reading few books. “No one’s ever said you should read more books to get into college,??? she said.

And this is a problem?

Reading skills are also valued by employers. A 2006 survey by the Conference Board, which conducts research for business leaders, found that nearly 90 percent of employers rated “reading comprehension??? as “very important??? for workers with bachelor’s degrees.

I don’t know about you, but I wonder what sort of people the 10+% of employers are who think that reading comprehension is not very important. What sort of Dilbert-refugees are they? I find that “nearly 90%” to be disturbing.

Some literacy experts say that reading itself should be redefined. Interpreting videos or pictures, they say, may be as important a skill as analyzing a novel or a poem.

Ah, the word “may.” I’ve ranted about it before. It is true that interpreting pictures may be as important as analyzing a novel. It certainly is if you want to appreciate El Greco. But that’s not the point. As much as I like sneering at moderns who think Dickens is literature, times change. It may, indeed. Joyce may have written grammatically. Austen may be suitable for children. Reading comprehension may be important for workers with bachelor’s degrees. And Shakespeare’s works may have been written by another man of the same name.

I am disdainful of hot media, but the Web is the rennaissance of cold media. It’s an aberration in a slide to hotter and hotter media. Also realize that cold media is relatively recent. Most of human history had its literature in songs and pantomime.

Lastly, remember that kids have been no damned good for as long as we’ve been writing at all. The pinnacle of civilization was when we were in the caves, and it’s been a long slow slide into perdition ever since. Every generation is worse than the previous one. It will continue to be that way. These kids are going to sigh with exasperation and not understand why their kids roll their eyes at Sailor Moon. And they just not going to understand the true art form of fanfic and slashfic. Tsk.

The Words of our (Founding) Fathers

There’s an article in the Washington Post, “In the Course of Human Events, Still Unpublished.” It’s about how the papers of the founding fathers of the United States are still not available except in physical form, and the scholarly practice that keeps them there.

Many of the founding fathers’ letters have been transcribed and made available over the years, and the original documents can increasingly be found online. But it is the painstaking annotation of these thousands of documents — their detailed explanation — that takes so long. Scholars check and double-check each reference and then try to explain each one and put it in context. A page of the massive annotated tomes can contain a snippet of a document and then a long footnote of explanation.

It seems to me that, while useful, footnotes and explanations inevitably reflect the time in which they’re written. The writings of those brilliant men usually speak for themselves. There’s certainly context and explanation that adds to it, but for heaven’s sake, get the originals out there. They’re far more important than the footnotes.