27/05/2015

What Really Happened to the Search Results?

I noticed this tweet along with a number of blog posts about the same topic. And there are many more pages like that, from the Internet atheism/skeptic brigade, protecting the world from Christianity gone mad.

What has happened is that using Google to search for the phrase what happened to the dinosaurs triggered a match on a book with a similar title: What Really Happened to the Dinosaurs by Ken Ham. His crime is to be a creationist. Can you believe it? Those sneaky Christians have gone and adjusted Google's search algorithm, so that when you search for the title of a book, you get back a bunch of information about the book. Think of the children!


Oh, wait. No. There's definitely a lack of critical thinking going on here somewhere, though. What's worse is all the oh-so-clever geniuses leaving 'feedback' about this, explaing how the result is incorrect because science! and similar. They semm to also have failed to notice this response to their submissions: Note: Your feedback won't directly influence the ranking of any single page. Probably because they are gleefully posting about how they have 'corrected' Google. They also appear to believe that despite this, the invisible hand of Google has listened to them, and removed the ofensive result, rather than what has actually happened - all the recent posts about the 'controversy' are weighted higher by the search algorithm, because they are more recent pages...

Grrr. If there's one thing I hate it's idiots like this who believe they are more intelligent that they are (see also Dunning-Kruger effect) and are blessed with super-rational skepticism that makes them infallibly right, unlike those poor benighted religionists. There's a time and a place for making fun of people who support flimsy beliefs with pretend science, and this is not it.

07/08/2012

Google TFA Security Issue

The following note describes a (serious) security vulnerability with Google accounts two-factor authentication, which I believe enabled complete TFA bypass and would therefore lead to full account access. I have raised this with Google, but it is a 'Known Issue' and no action is being taken, so they have no constraints on publication. I understand their security versus usability tradeoff, so this is mostly an exercise in full disclosure.

Since there was no bounty awarded, the issue was only recorded on the Honorable Mention list for Q3 2012. It can be found in the Prior to 2015 section of the Google Security Hall of Fame archive. If you want to verify that my name really is there you will need to click on the Show List link, and then search for Kennedy. The screenshot to the left is an edited copy of this page, created to highlight my entry, but there are a lot of other honourable mentions, so follow the link to see everything in context...



UPDATED 2013-02-25

The same issue has been discovered and blogged about by Duo Security researcher Adam Goodman - Bypassing Google’s Two-Factor Authentication and Hacker News discussion.

Issue

It is possible to bypass and disable two-factor authentication and re-enable it with a different Android device and phone number without ever knowing the account password or having access to an authorised authenticator or phone number.

Discovery

I enabled two-factor authentication or two-step verification [1] on my Google account last year, using an Android phone connected to an Orange PAYG SIM to generate the validation codes. In the process of moving flat, I lost this phone and also mislaid my printed set of backup codes. This meant that I was unable to authenticate myself to any of the Google account services over HTTP/HTTPS, as after accepting my password they all required the extra TFA code. These included the account and profile settings page, Google+, Blogger and other Google web properties such as YouTube.

In fact, the only Google services I could access were those for which I had an application-specific sixteen character password [2] already generated, and it was not possible to generate any further such passwords. Additionally, these passwords are not sufficient to log into any of the Google web sites, and attempts using them are rejected. The only approved way to disable TFA and regain access to Google sites was to go through the account recovery process [3] which requires detailed knowledge of the history of the account. Even as the owner of the account, I was unable to provide enough correct answers to satisfy Google support and regain access although I tried several times.

Using the vulnerability below I discovered that I was able to bypass the normal restrictions and re-configure the account security settings to give me access to my account again, and register my new phone and device instead.

Requirements

The following are required to gain access to a two-factor authentication protected account. Note that the main password is not needed, nor is access to any of the configured authentication devices or phone numbers.

  • Any application specific password for the Google account (This can usually be obtained by examining the configuration files for an application using the password, or looking in the 'Keychain' on OSX or other operating system equivalent)
  • Android 3.2.2 device (As tested, other versions may also work)

Process

The following process will enable full access to, and control of any Google account protected by two-factor authentication. I have tested this using my own Google account.

  • Add the Google account to the Android device, giving the application-specific password as the credential
  • Ensure 'Google automatic sign in' is enabled for the Android browser
  • Access Google's homepage using the browser
  • Click on 'account settings' or other link which requires authentication with Google
  • The browser will automatically authenticate the account you will be logged in as the chosen account
  • It is now possible to change all two-factor authentication settings, either disabling it completely or changing the configured device and phone numbers used to generate codes

Conclusion

This is a serious flaw, since users assume that their accounts cannot be compromised unless an attacker obtains the device used for authentication, or gains control of their authorised phone number, neither of which is required for this attack.

It is possible to log into an account protected by two-factor or two-step authentication without ever invoking this process or having access to the authorised device or phone. This bypasses all protections that are assumed to be provided by the service, allowing an attacker in possession of an application specific password to gain complete control over a two-factor protected account which the user assumes is safe.

References

[1],[2],[3]

23/09/2011

Reboot

I have decided to reboot my blog using Blogger templates. This means the layout is not as well designed as I might like - the previous design had six years of editing and tweaking...! Since the most boring type of blog post is one that talks about the blog itself, I'll leave things at that.

I have recently started working at a new company, a cloud technology start-up based at Edinburgh University. Cloudsoft produce Monterey, a middleware framework for application mobility across various cloud infrastructure providers. I am developing the latest version of this, on which more later. It is a great environment to work in, with really smart colleagues and lots of challenges that keep me thinking. There are also the obvious benefits of being based in the University, such as very fast Internet and free access to academic journals.

Due to the scope of my work, I have found myself learning a lot of interesting new things. These range from picking up new languages (Groovy), libraries and APIs (jclouds, AWS, Seam CDI), applications (Redis, Karaf, Chef, Infinispan) as well as technologies (OSGi, PaaS). I am also working on open source projects during 20% of my time, which will mostly involve Qpid but I have also been investigating jclouds and elasticsearch. I hope to be able to write more about many of these topics.

01/08/2010

Silly, Mischievous Fools and Rogues

The following extract from Churchill's Wizards: The British Genius for Deception 1914-1945 by Nicholas Rankin (pp379-380) is taken from a minute to the Security Executive, made on 06 September 1940, by Sir Alexander Maxwell, Permanent Under Secretary at the Home Office, in response to a proposed defence regulation making it 'an offence to attempt to subvert duly constituted authority.'

There would be widespread opposition to such a regulation as inconsistent with English liberty. Our tradition is that while orders issued by the duly constituted authority must be obeyed, every civilian is at liberty to show, if he can, that such orders are silly or mischievous and the duly constituted authorities are composed of fools or rogues [...] Accordingly we do not regard activities which are designed to bring the duly constituted authorities into contempt as necessarily subversive; they are only subversive if they are calculated to incite persons to disobey the law, or to change the Government by unconstitutional means. This doctrine gives, of course, great and indeed dangerous liberty to persons who desire revolution, or desire to impede the war effort [...] but the readiness to take this risk is the cardinal distinction between democracy and totalitarianism.

Sir Alexander Maxwell
06 September 1940

13/02/2010

LEGO Games 3835 Robo Champ

It was my nephew's fifth birthday recently, and I was struggling to find a suitable present for a young boy that loves robots, and also playing with LEGO. Then, I remembered I was supposed to be finding a present for Ben! Fortunately, I discovered Robo Champ while browsing the new Hamleys store, in Glasgow!





This is an excellent game, both conceptually and in actual execution. It consists of LEGO pieces, and instructions to build three brightly coloured, cartoon style robots and one die. All the robot LEGO pieces provided are standard shapes and sizes, as found in any conventional LEGO set, and there are 118 separate pieces in total. The only custom part is the die, which accepts 2x2 tiles on each face (or combinations of two 2x1 or four 1x1 tiles) so you can re-use parts or build extra robots if desired. The robots themselves are fairly simple to build and great to look at and play with once built - in fact the set would be worth it just as a three-robot kit, I feel! Once built, the robot arms, legs and heads are detatchable by design, and this is an essential feature of the game...

There is a contest at the robot factory. The first to build a robot with all the correct colour parts will win this year’s trophy and be named the Robo Champ. If someone takes a part you need you may have to steal it back to achieve victory. A fast and fun game to play again and again for 2 to 3 players. Game play approximately 10-15 minutes.

Gameplay is quite straightforward, with the amusing back-story above presented in the instructions. Players take turns rolling the die and each get to pick, swap or steal an appropriately coloured robot part depending on the colour shown. In line with the spirit of LEGO, the rules are malleable, and it is suggested that players and families develop their own sets. I felt that the initial set of rules was complex enough to provide a fun game, but still easy to learn. The first game I played took around ten to fifteen minutes, just as suggested on the box, which included the learning time. Of course it also took some time beforehand to build the robot pieces involved, which will depend on your individual LEGO skills.

One caveat for this set is based on my experience with the recipient of the set I purchased, my young nephew. He is slightly younger than the suggested minimum of six years old, but has very readily grasped the idea behind building LEGO models from their instruction sheets, and loves robots of all kinds! He found it hard to grasp that his beloved new robots had to be taken to pieces after he built them so carefully, and also had difficulty accepting that he might not be able to re-build the robot with the correct parts. I think that older children would be able to understand this aspect of co-operative gameplay automatically, but it is a point to note if buying this for younger children. Also, the next time he plays, he will not have just built the new robots, so will be less apprehensive about their impending destruction.

Title / Robo Champ

Manufaturer / LEGO

Price / GBP 6.45 / EUR 8.98 / USD 19.45

Pieces / 118

Code / 3835-1

Released / 2009

An excellent, fun game for children and adults alike, with the added bonus of a collection of amusing robot models.



Five out of five cats preferred Robo Champ



There are several other LEGO game sets which intrigue me, such as Creationary and Lunar Command. i think this is a great idea from LEGO, and hope they continue the theme. Sadly, some sets, like Knight's Kingdom Chess Set are no longer available, but i think a quick look on eBay would probably net a copy.

LEGO® is a trademark of the LEGO Group of companies which does not sponsor, authorize or endorse this site.

04/02/2010

Brain Overflow

I'm a great fan of Stack Overflow, which is a collaborative expert-sexchange style site that actually has useful answers to your questions. The site allows anyone to ask software development questions, and registered users can answer them, and also vote on other people's answers, giving a consensus opinion that is surprisingly accurate. The site itself has some nice features, with heavy use of AJAX for dynamic forms and open interfaces for avatars and authentication. The site also functions as a wiki and hosts meta-discussion about itself. And, if you want to do something clever with a host of questions, answers, ratings and wiki articles, the data is available as a torrent to download.

Anyway, the creators have spun off the software behind it as a stand-alone product for community question-and-answer sites as StackExchange. They sell consultancy and services as well as hosted versions of the software as white-label sites, and give away free access for non-commercial usage. It's a nice business model which I'd love to copy with my own software...

While looking at some of these associated sites, I discovered Math Overflow, which makes Andrew feel stupid.. This is chock full of people asking about non-trivial isomorphisms, homologous cauchy integral groups over non-integral fields, and getting intelligent answers! Of course, there's also lots of homework questions, and potentially unanswerable stuff in there too. I really like some of the philosophical discussions that pop up, as well as the more basic questions which are good at reminding me how much of my education I've forgotten due to alcohol and time...

The whole point of this post is that I found this amazing video, which is a sphere being turned inside-out in the most awesome way possible, with a little help from Pixar and the University of Minnesota. The frame shown is above is just part of the transformation, which is very clearly explained. The whole video is just over 20 minutes long, and I suggest you watch it all the way through, as it's pretty cool (and probably expensive, counting the number of grants that funded it...) animation for 1994.

18/04/2009

Working Standards

well, i've now been working at yell adworks for almost three months, and i'm really enjoying it so far. after spending (probably too much) time on design, we have got started on development of a workflow engine system. i'm using spring, hibernate, mule, cxf, jbpm and other interesting technologies, some of which i'm still learning about (mule and associated esb technologies) or, in the case of spring, updating myself on - until now the most recent version of spring i had used was 2.0.9 and we are using 2.5.6, with attendant annotation based goodness and so on.

one of the only problems so far is the continuous integration system, which is set up with a very strict set of checkstyle and PMD rules for code quality. i'm all in favour of managing code quality as an automated process and continuous integration with these tools is a Good Thing, but i keep falling foul of some of the rules, in particular the checks for multiple return statements in one method, to enforce single exit points. i believe writing methods with guard clauses up front is the most readable and elegant way of expressing certain types of logic, and apparently martin fowler agrees (see his refactoring book) with me. the following discussion on stackoverflow is relevant, too. also, there are strict rules on long variable names, which keep me from naming things like constraintDefinition or workflowInstance although i do agree with the restriction on short (less than four characters) names.

i'm (really) going to try and make more of an effort to keep this blog updated more frequently, since it's over a year since i last posted ;)

16/03/2008

greenock central


sunset over greenock central station taken with panorama setting by stitching three landscape frames together using a sony ericsson camera phone.

29/02/2008

images from outer space...

I recently managed to obtain some images of the asteroid (7166) Kennedy, which is named after my father, Malcolm Kennedy. The discoverer Ted Bowell, and his colleague Bruce Koehn, sent me a set of four images from their frame archive. The Lowell Observatory Near-Earth Object Search (LONEOS), which is funded by NASA, looks for objects that may present a hazard to the planet, such as asteroids with orbits that are close to or intersect earth's. As far as I know, we are in no danger from Kennedy, which is comforting.

I uploaded the images from Bruce to a Flickr set, and tagged them with a note indicating the asteroid's location, since it's very faint (magnitude 16.6 in these images). Also, to see more details, including the IAU discovery details and citation, as well as confusing orbital ephemeris and data, I have updated the Wikipedia article. This contains the image you can see here, which is a composite of the LONEOS frames, saved as an animated GIF to show the motion across the fixed stellar background. I really can't explain how much I appreciate the fact that Ted named this object after Malcolm, so I'd like to publicly thank him anyway.

02/10/2007

coming home present


the problem is, of course, whether to be happy that biggles likes me enough to give me his dead mice, *OR* to be worried that there is (was) a mouse (or mice) in my flat... maybe it's time to board up the hole in the bathroom wall before it gets colder?