Monthly Archives: March 2011

What I’ve Been Reading

Leave a reply
  • [amazon_link id=“0981678017” target=“_blank” ]The Busy Coder’s Guide to Advanced Android Development[/amazon_link]. Book for  a quick start on Android development, full of examples and straight to the point, it’s also worth mentioning for their innovative Books-as-a-Subscription service (BaaS) that provides updates and new titles for $40 per year.
  • [amazon_link id=“0470697164” target=“_blank” ]LTE, The UMTS Long Term Evolution: From Theory to Practice[/amazon_link]. An extensive, comprehensive and in-depth tour-de-force on the LTE standard by some of the contributors of its standardization. An invaluable tool for anyone LTE-related, it will be the most authoritative source for the years to come: it has reminded me the [amazon_link id=“0201633469” target=“_blank” ]TCP/IP Illustrated series[/amazon_link] while reading it. The best: the parts describing the physical layer (OFDM and MIMO), the most innovative part of the standard and its real lifeblood. Every standard should have a book like this one written for it.
  • [amazon_link id=“1598220616” target=“_blank” ]The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System[/amazon_link]. In the last decade, there has been an explosion of computer security related books. From time a time, a title really stands up from the rest, and this must be it for 2009: Stuxnet developers should have read this one before coding their second-rate worm. Caveat: no source code available for download.

The ROI Fallacy in CompSec

Leave a reply

The script is always the same: first, an estimation of the expected loss from an intrusion or attack is provided; then, a proposal of countermeasures that are some orders of magnitude cheaper that the expected loss is suggested; in conclusion, the solution being offered features such a high ROI that only a fool will discard it, so runs the argument. Repeat for every antivirus, IDS, firewall or whatever security product being sold.

This myth is based on a loaded use of language that equals the notion of expending on security with that of an investment, a misleading and self-serving broken framework of economics that isn’t taking into consideration other variables like opportunity and hidden costs. As in the parable of the broken window, disregarding the ideal world in which nothing gets broken and the resources could be better put into use for other much more productive purposes leads to very misguided conclusions. That is, security is not an investment, and insecure programs don’t carry debts.

Computer security is a tax.

Different operating systems carry different levels of taxes: desktop Window carry a higher level of computer security taxes due to malware. And programming languages also differ: the tax bracket for ColdFusion is higher than the one for C, which is higher than the one for Java/C#.

And since software vendors aren’t liable for their insecure products, they have no incentive to internalize the hidden costs of security breaches and transfer them to customers, who must spend resources to protect their real assets, like the taxes citizens pay to governments to provide for security services.

Perfecting the Dreaded Software Company Acquisition

Leave a reply

Microsoft, Google (Tracking Google’s Acquisitions), IBM and many others software company acquirers have colluded an empirical law that sets the fate of acquirees: their ex-post discount rate runs very high, at 80%.

Leaving out all-talent and all-users acquisitions, we hit upon the dreaded code rewrite, which is always a disaster waiting to happen: since developers, always running away from legacy code and its technical debt in the search of the promised land of unbuggy software, throw themselves into the abyss of the unknown taking advantage of the recently shaken power structure.

Fortunately, a well-conceived Memorandum of Understanding benefitting from the accumulated wisdom of corporate and software archeology should solve this issue including the following rules:

    1. New functionality should be written using the new tools, languages and software platforms of the acquirer (under the assumption that these new tools will improve the scalability, availability, costs or any other metrics)
    2. A new API encapsulating and exposing functionality between languages and platforms should be preferred (Façade, Front-Controller patterns)
    3. Legacy code should not be rewritten, except when: 
      1. The benefits, measured by the KPIs of the business,  are quantifiably higher than the cost of the rewrite itself, on a module-by-module basis
      2. In case of doubt, it’s the acquirer the one having to rewrite the acquiree code, not the other way around

iPhone Decompilation & Obfuscation

Leave a reply

The tools to decompile iPhone apps are quite well-known:

  • Otx, an advanced disassembler based on otool
  • class_dump_z, an updated version of the old class-dump for the iPhoneOS, to extract Objective‑C class interfaces
  • Hex-Rays, the most advanced decompiler ever, also supports ARM binaries (based on Datarescue’s IDA Pro)

Unfortunately, there’s no easy way to obfuscate iPhone apps, even if the iPhone is 4 years old. The easiest approach would be to take advantage of the LLVM source-to-source feature to recompile the mobile apps to an intermediate high level-language and transform the source code using a specialized tool like TXL to modify the control flow before generating the final binaries. Delving into the LLVM route, it would be ideal for using more sophisticated obfuscation techniques to bring the superb DynInst into play, but it doesn’t support the ARM instruction set. As a final point, there is a commercial tool to obfuscate Objective‑C, Morpher, although there are not outside reviews about its value.

Baumol’s Cost Disease in Computer Security

Leave a reply

The most creative parts of computer security are undecidable or NP-hard problems, a fact that creates a big divide in the computer security field: on the one hand, bug finding, exploit writing, secure code auditing and cryptographic protocol design are the most difficult tasks in the field to apprehend and resolve; but on the other hand, the pentesting process is largely better left to be done by software than by humans. The key insight is that no capital-labor substitution will ever take place in the first kind of activities, therefore productivity gains will never be achieved on them no matter what amount of innovation will ever be carried out in the next decades: that is, the same man-hours will be needed to produce the same amount of work in the future, if not more so, taking into account the exponentially rising number of computer systems and software components and their interactions.

And that is the depiction of the archetypal setting in which Baumol’s Cost Disease arises: tasks with no labor productivity improvements for decades, but with raising labor costs nonetheless, to keep up with the rising salaries in other jobs which did experience such labor productivity growth. The side effect of the disease, which makes it so nefarious to the computer security field, is that the best talent is lost to other tasks in this  process of constant readjustment.