Monday, January 31, 2005

Trustworthy Computing in Academia (or lack thereof)

Kevin Schofield recently wrote:

One of the things that I worry about related to trustworthy computing is the state of education on TWC topics in computer science programs today. When I go around and talk to professors, I ask them whether their students are taught even simple stuff, like how to avoid buffer overflows and the most common security bugs. Almost none of them say "yes."

As a graduating Computer Science student at the University of Michigan, I have to completely agree with Schofield here. There is an absolute lack of "TWC" topics in the CS curriculum. It's a deep-rooted problem, and unfortunately, not one that is destined to change any time soon.

For better or for worse, it is not the goal of university Computer Science programs to train future <insert-tech-company-name-here> employees. Universities see certain topics as fundamental to Computer Science: Discrete Math, Data Structures, Algorithms, Computer Organization and Architecture, Computation Theory, etc. Other topics, ranging from specific programming languages such as Java to specialized areas such as Web-Database Applications and Computer Networks are not seen as core to academic Computer Science, but rather specialized and practical applications of it, and are offered as electives.

"Computer Security and Trustworthy Computing" is offered here at U of M about every other semester, assuming a professor has a desire to teach it. It is considered an elective, right alongside Computer Networks, User Interfaces, and Computer Game Design. It has as a prerequisite another 400-level Computer Science course which happens to also be an elective, making Computer Security only available to a very small set of students in their final semesters who have taken all the right classes up to that point.

If areas such as Operating Systems, Databases, and Computer Networks can't make it into the core Computer Science curriculum, it's not realistic to expect that TWC can, in the form of its own course -- not anytime soon.

Instead of pushing for the addition of TWC to the curriculum in the form of courses, TWC advocates should push for the incorporation of foundational principles of Trustworthy Computing into existing course curriculums. Projects in all existing courses that rely on programming projects (and even those that don't!) should teach security principles in the same way that grade school teachers teach spelling and grammar -- by correcting spelling mistakes and reinforcing proper grammar principles even in projects where spelling and grammar are not necessarily the sole purposes of the assignments.

Computer Science instructors that grade programming assignments should catch, point out, and even take credit off for buffer overflows and other security vulnerabilities. Currently, this is something that just doesn't happen, and as a result, students leave the University for software development jobs without any concept of common security principles and practices. Can you predict what happens next?

Finally, it's worth noting that beyond incorporating TWC principles into existing curriculums, it's crucial that professors lead by example! In the web database course I'm taking this semester, the course web server where we work on our assignments was configured in such a way where students could easily view each others work. Upon being notified of the situation, the professor requested that students change the permissions on their files. Yet students could still view each others work if they so desired since the web server user still had permission to read the files and we were coding in php (which can easily open/read/output files on the system to which the web server user has access). Upon being notified of this, the professor created a workaround by having students store their work in directories whose names ended with a string of random numbers. Aside from serving as a great example of security through obscurity (a bad thing.. mmkay?), students could still see these strings in the world-readable web server log file.

The bottom line is that students expect teachers to lead by example. They will remember the actions of their teachers far longer than the course material itself (in this same web database course, we spent 2 whole lecturse covering web-app security principles -- and for what?). In this case, students walk away from the course thinking security through obscurity is an acceptable workaround to a security problem.

Don't let my little anecdote leave a bad taste in your mouth with respect to the University of Michigan CS program. The professor is actually quite amazing and an all-star in his field. But, just as with the students leaving universities across the country (and the world?) today, perhaps TWC concepts were never core to his area of study. Security comes only as an afterthought.. whose fault is that?

Sunday, January 30, 2005

Brand Harmony

Over the holidays I read a great book, Brand Harmony by Steve Yastrow.

The core principle of "brand harmony" can be summed up as your brand is not what you say you are, but what your customer thinks you are.

Yastrow advocates the jettison of classical concepts and methods like brute force marketing for an undoubtedly more effective (though difficult to achieve) customer-centered "desired brand perception". Critical to achieving this is the knowledge of dealing with the harsh reality that a personal experience with a product will outweigh anything a company explicitly tells a consumer about the product.

We experience these disparities on a daily basis. Recently, I found myself looking out the window of a Continental aircraft before takeoff at a branded slogan for the airline that read "Continental Airlines - Safe and On-time". The plane had been delayed on the runway for an hour.

It's experiences such as these that Yastrow explores, and how as an organization, to avoid them. Everything is marketing, Yastrow argues, and seeing things from the perspective of the customer is key.

At about 150 pages, the book is short and sweet. It's full of great stories and engaging examples from Yastrow's personal and professional experience. If you liked Malcolm Gladwell's The Tipping Point, I'd highly recommend reading Brand Harmony as well.

Finally, thanks to my father for recommending this one to me! It's definitely a keeper.

Wednesday, January 19, 2005

Google, MSN, and Yahoo implement my noref idea!

A month and a half ago, I suggested a new parameter to the html anchor tag to allow users to prevent a link on their site from being viewed as a "recommendation" to the search engines.

This morning, I woke up to find that the three major search engines, Google, MSN, and Yahoo, all implemented this feature!

Check it out:

Google Blog Entry
MSN Search Blog
Yahoo! Search Blog


Thursday, January 13, 2005

Best of Channel9, 2004

It's no secret that I'm a huge fan of Microsoft's video blog site, Channel9. So much so, that I spent quite a bit of time over my recent vacation catching up on videos from 2004.

Different segments amazed me for different reasons. Some demo'd Microsoft products I didn't know existed (Photo Story 3). Others gave me a glimpse into toys I've yet to own (Tablet PC, Portable Media Center). A few even provided a look at new technologies being developed at Microsoft Research.

Most of the Channel9 content is geared towards developers, so some of you may find this to be a bit dry. It's certainly raw and unpolished, direct from developer to developer, without the touch of traditional Marketing forces that be.

Without further adieu, here are my top 25 Channel9 picks from 2004 (this should keep you busy for a while!):

Mobile Devices

Neil Enns - Can you give us a demo of the SmartPhone?

Neil Enns - What's cool about his SmartPhone

Neil Enns - Why would anyone want a cell phone with a camera on it?

Neil Enns - If a cell phone developer said "I'm going to go with Java" what would you say?

Ori Amiga - Tour of mobile devices with Visual Studio for Devices team

Ori Amiga - What kinds of apps can you build for the next version of Mobile Devices?

Alex Kipman - Building a mobile service

Tablet PC

Peter Loforte - The Tablet PC has changed my life (in bed)

Peter Loforte - What's cool about the upcoming Tablet PC software?

Peter Loforte - What is a Tablet PC doing when someone writes on the screen?

Bert Keely - Souping up the Tablet PC

Bert Keely - SmartPhone and Tablet PC together

Bert Keely - Tablet PC and maps

Robert Williams - What did you learn from building the Tablet PC?

Robert Williams - Is the Tablet PC technology good enough for using the pen only?

Susan Cameron - New Tablet PC powertoy under development


Rich Davies - Inside the SPOT watch team*

Brett Bentsen - A look at the Portable Media Center

Larry Hryb - Join in an Xbox Live game

Vladimir Rovinsky - Demo of just released Photo Story 3

Jason Flaks - What is Windows Media Connect?

Jeffrey Snover - Monad explained

Jeffrey Snover - Monad demonstrated


Lyndsay Williams - MSR/UK's "sensecam"

Andy Wilson - First look at MSR's "touch light"*

* Must-see!

Yeah.. I'm drinking the Kool-Aid.

Wednesday, January 12, 2005

Registrar sponsored domain name pollution?

Yesterday morning I woke up to an email from Dotster. Thank you for registering your domain name with Dotster! it read. The strange thing was.. I hadn't used Dotster to register a domain name any time recently.

Upon logging in to my Dotster account, I noticed two new .info domains that were similar (identical, save the tld) to .com and .org domains I had registered through Dotster in the past. So, being the paranoid individual that I am (with all the recent media hype on identity theft, would you blame me?), I sent off an email to Dotster.

I wrote:

My Dotster username is: [SNIP]

This morning I received the email below, thanking me for registering a new domain. I hadn't registered any new domain, yet upon logging into, I found 2 new domain names under my account:

[SNIP].INFO Add/Modify 01/10/2005 12/24/2005
[SNIP].INFO Add/Modify 01/10/2005 12/24/2005

I did not register these domains, and am concerned that someone somehow obtained unauthorized access to my account. Could you please investigate the creation of these 2 domain names and contact me ASAP? If I do not hear back by this afternoon, I will follow up with a phone call.

The answer I received from Dotster blew my mind!

.INFO registry was recently offering free .info domain registrations. We took this opportunity to register the .info verison of your .com domain for you, free of charge or obligation. This domain will not be set to auto renewal. If you wish to keep this domain name you can use it free of charge for 1 year after that it will expire. If you wish to continue using it you will have to renew it.

If you do not wish to use this domain please respond and we can delete it for you.

Thank you.

Five hours later, I received official emails announcing the deal. I imagine they received quite a few emails like mine from other concerned customers and figured it'd probably be a good idea to let them know what was up. Better late that never, I suppose.

In any event, I'm pretty appalled by the situation for two reasons.

First, it's a prime example of polluting the domain name space. What is the point of offering a range of top level domains like .com, .net, .org, .info, .biz, etc if the norm becomes to register them all? I'll concede that it makes sense for large corporations to assume the associated cost in order to prevent confusion. But the majority of my domains are used for personal and project purposes, and I don't mind sharing! So-called Cybersquatters are one thing, but if the registrars and TLD sponsors are going to start supporting this type of behavior, I'd call for less, not more, top level domains.

Second, the benefits of this offer will be reaped by Dotster and Afilias (the .info sponsor) -- not the general public or their customers. Similarly to the way in which a very small percentage of people respond to spam, a very small percentage of people will re-register these domains at the end of 2005. Afilias and Dotster bet it will be enough to make the effort profitable and worthwhile. Additionally, Dotster gains the opportunity to push its paid add-on services like hosting.

Third, my name and contact information is attached to these domains, and published in the registry. I'm put in the line of fire. It's an unlikely scenario that anything would come of it, but nonetheless, I'm being appointed the point of contact for a domain I never registered.

Ah well.. I certainly plan on doing my part and having Dotster release my domains. I'd like to be able to say "I appreciate the thought, but next time ask first". But they were never thinking of me, now were they?

Wednesday, January 05, 2005

In California...

First off, I apologize to my many faithful readers for a recent lack of updates. I just returned from a very fun vacation in Los Angeles, with a couple of spectacular days in Vegas. Didn't make much time to write, plus, my family's satellite Internet connection leaves something to be desired.

Though I grew up in LA, I've spent the last several years learning/researching/working at the University of Michigan in Ann Arbor. I'm lucky enough to have a great group of friends out here, who have continually put up with my efforts to convince them that their beautiful state leaves something to be desired... (and I'm not just talking about the weather.. though it is 25 degrees and blizzarding as I write)

I'm not quite sure why it takes so long for great ideas from Fastpay parking to drive-thru Starbucks to make their way out to Michigan.. But in the spirit of sharing, I've brought back with me from the West Coast a few pictures of the latest and greatest to hit the streets:

Glow-in-the-Dark Mini Golf! (Because blacklight bowling just wasn't enough.)

Palm Tree? Or cell phone tower in disguise?

THE $10 STORE. Because 99 cents doesn't pay the rent.

What's valet parking without an oxygen bar for while you wait, right?

And what's a fancy restaurant like Chilis without valet parking?

Christmas. Beverly Hills style.

Wouldn't your restaurant be cleaner if you had to post your grade in the window? (ok, this one's certainly not new.. but deserves mention nonetheless!)

Err, how'd that make it in?! Ah well, smog sure makes for colorful sunsets.

And I'll leave you with that for now. Stay tuned.. a special issue of Best of Sky Mall is on the way!