(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

I’m concluding two years of experience with a 15-inch Macbook Pro, Mac OS X 10.5.8, 2.4 GHz Intel Core 2 Duo, 4 GB RAM. My experience suggests that the perceived “quality” of Macs is overrated — they are no more or less high quality than other commodity notebooks.

Specific complaints follow:

1. keyboard and trackpad randomly stop responding; reboot fixes issue for short time. Keyboard occasionally “stutters” or repeats characters until another key is pressed. This requires me to carry around an external keyboard and mouse. I hypothesize that the battery comes into contact with the keyboard and trackpad connector and leads to a short or overheated wire.
2. battery is effectively dead; unplugged operation of notebook leads to about 5 minutes of uptime before hard power off
3. the battery/CPU/GPU put off tremendous heat (others have noticed this “feature” of Macbooks
4. internal optical drive intermittantly fails to read CDs or DVDs; total failure about a year in
5. the “Automatically adjust brightness as ambient light changes” option under Display occasionally “checks” itself (even though I have unchecked it). As a result, the screen dims at inconvenient times
6. the built-in iSight camera has recently (within past 6 months) stopped working (this makes keeping in touch with family difficult, as I need to reboot every time I want to video Skype). I can get it to work briefly by shutting down the machine, resetting the system memory as described by Apple (with machine off, press and hold the power button for 5 seconds), and rebooting. When I manually reposition the physical screen position, the camera stops responding (in the middle of Skype sessions). It appears that the camera also stops working upon a suspend/closing the lid. From these symptoms, seems like a loose wire or connector.

Do I have good things to say about this machine? Yes, but they basically amount to “it works.” The negatives listed above, however, strongly detract from the overall usefulness of this machine, particularly as a mobile platform.

The Panopticlick project is an interesting data collection exercise and experiment aimed at understanding just how unique a browser (yours, not to put too fine a point on it) is.

In essence, the EFF researchers show how to fingerprint a browser (1) without storing any state in the browser and (2) simply by executing code that reads public properties and configuration that your browser makes available (this information includes the “UserAgent” string, but goes far beyond it to detect other properties like installed fonts and plug-ins, screen size, screen resolution, and time zone, among others).

I first heard about this project from Bruce Schneier’s February Cryptogram (covering his January 29 blog post – most of the comments, including one from the EFF researcher, Peter Eckersley, are enlightening), but then a paper about the system crossed my email Inbox. Going to the site, I found that my browser (as of 15 March) has about 19.5 bits of entropy and is unique out of 741,612 browsers that have visited the page. Like most other people have experienced, the most distinct parts of my fingerprint are my system fonts and my plug-in details. My user-agent (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6), time zone (EDT), and screen details (1440×900x24) also give away some bits of identifying information, but much less than the fonts and plug-ins.

Schneier’s blog links to this Arstechnica news story.

Other related work is the browserrecon project.

The upcoming May/June issue of IEEE S&P magazine has a column (written by me under the “Education” department run by Matt Bishop and Cynthia Irvine) that discusses how we can help students nurture a dual frame of mind when writing code. The article discusses the lack of opportunity, time, and encouragement for students within the traditional CS curriculum to explore the edges of a system or uncover and test the hidden assumptions of a designer or implementor. I’m trying to get my students to write attack scripts with every assignment they submit to help them get into this simultaenous black hat/white hat mindset.