Everything, Everything - May 2008

Cisco Rootkit
Tuesday 27th May, 2008 10:45
Cisco have updated their "Rootkits on Cisco IOS Devices" response since the presentation by Sebastian Muniz at the EUSecWest security conference. Their entire article pushes the idea of checking the integrity of the downloaded image using MD5 hashes. This would be fine, except the cryptographic hash function MD5 is not collision resistant (as demonstrated by Xiaoyun Wang and her co-authors back in 2004, subsequently allowing some clever researchers to (hopefully) predict the winner of the 2008 US Presidential Elections). I wonder how long it'd take to produce a malicious Cisco IOS software image that has the same MD5 hash as a legitimate version. Combine this with DNS poisoning or modifying the hosts file to redirect users to a malicious server and the IOS rootkit could remain a threat. Perhaps Cisco should jump to SHA-512, given that SHA-1 is already "broken".
Doctor Who Theme
Monday 12th May, 2008 14:05
Why do I have it stuck in my head? Why?!? It's the new version from the current series, probably because I watched it on BBC One over the weekend. According to Wikipedia:

In November 2007, following the BBC's announcement that it was requiring all series to implement a shorter closing credits sequence, it was rumoured that Murray Gold was working on a third rework of his theme, making Murray Gold only the second person to have arranged two televised versions of the theme (the first being Delia Derbyshire back in 1966). The rumours were proven correct when a new version of the theme -- featuring additional drums, piano and bass guitar while retaining the original Derbyshire electronic sound to drive the melody line as was done with the 2005 arrangement, as well as a variation of "The Chase" counter-melody -- was introduced in the Christmas 2007 episode, "Voyage of the Damned" and is in use for the 2008 series
Performance Issues
Saturday 10th May, 2008 23:03
Some of you may have noticed that my website has been running a bit sluggishly for over a week now. It turns out it wasn't due to:
  • The new site layout (which was primarily some changes to the CSS file)
  • A recent update of the database so older entries contain timestamps instead of null values
  • Applying the new design to 2004-2007 entries (which uses the timestamps I'd generated)
  • An update that Chris had made to the server without telling me (added support for Ruby)
  • The server, which Chris kindly rebooted for good measure last weekend
It looks like the recent performance issue was caused by the .htaccess file that I haven't touched in months. Go figure. Anyway, I removed a few lines that didn't really need to be there, and I removed a couple dozen lines of IP ranges that I had added to deny access to the site (because it stops some unwanted automated bots from seeing my website). This should make my UKRP gadget go back to normal speed when changing stations, rather than "transitioning" for 5-10 seconds waiting for my site to redirect users to the actual stream (which still needs a second or two to buffer).
Bad Science
Friday 2nd May, 2008 14:53
In an article published at The Register earlier today, the author states:

NASA staff have done some recent bookkeeping and refined the data from 1930-1999. The issues has been discussed extensively at science blog Climate Audit. So what is the probability of this effort consistently increasing recent temperatures and decreasing older temperatures? From a statistical viewpoint, data recalculation should cause each year to have a 50/50 probability of going either up or down - thus the odds of all 70 adjusted years working in concert to increase the slope of the graph (as seen in the combined version) are an astronomical 2 raised to the power of 70

The paragraph goes on to make a huge fuss about how unlikely it is, compared to the author's (incorrect) expectation of a 50/50 probability. But he never mentioned the published reasons as to why the adjustments were made. I wouldn't have a problem with him questioning the accuracy of the adjustments or more specifically the methodology used to calculate the current graphs; I do have a problem with him blindly criticising that pre-1970 temperatures have been nearly uniformly adjusted downwards and post-1970 temperatures have been adjusted upwards. Additionally, his crude rotation of the graph overlaid on the other is not very scientific or accurate.

Surface temperature measurements have a low signal to noise ratio. Additionally, NASA do not just use the raw temperature measurements from each station, they apply many layers of adjustments. These adjustments tend to be quite large: "nearly all the reported warming in the USHCN data base, which is used for nearly all global warming studies and models, is from human-added fudge factors, guesstimates, and corrections". It wasn't until last year that NASA finally released their algorithm:

Reto Ruedy has organized into a single document, as well as practical on a short time scale, the programs that produce our global temperature analysis from publicly available data streams of temperature measurements. These are a combination of subroutines written over the past few decades by Sergej Lebedeff, Jay Glascoe, and Reto. Because the programs include a variety of languages and computer unique functions, Reto would have preferred to have a week or two to combine these into a simpler more transparent structure, but because of a recent flood of demands for the programs, they are being made available as is. People interested in science may want to wait a week or two for a simplified version. The documentation/programs are at: http://data.giss.nasa.gov/gistemp/sources/

They admit in the next paragraph that "one aspect of our procedure where subjectivity could come into play is the choice of which stations are eliminated from the record" - although it should be noted that there haven't been any claims that anyone is intentionally picking "bad" stations, just that there appear to be fewer "good" stations. NASA have a wide variety of sources and they choose which sources to include when generating the pretty graphs that the general public get to see.

So what does this all mean? It's still not entirely clear either way whether global warming is happening. It's clear that the author's article doesn't really add anything meaningful or useful to the whole debate. But what can you expect from statistics and relatively short trends.
Easily Influenced
Friday 2nd May, 2008 09:42
I've noticed recently that TV and the internet are influencing my diet. All it takes is for a character on a TV show to mention "ice cream" or a webcomic to mention "bacon" and I'll think to myself "I have ice cream in my freezer" or "I still have some bacon that needs eating up". Shortly afterwards that food will be in my belly (the bacon is still in the fridge right now, but lunch is only a few hours away).

Thankfully I don't have the same problem when BBC News report about polonium tea, although I'm not sure whether I'm more concerned by the radioactive poisoning or the fact it's tea.
