Category Archives: Poetry

History, Poetry, Security

The Second Coming

Leave a comment

by William Butler Yeats (1865-1939)

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere anarchy is loosed upon the world,
The blood-dimmed tide is loosed, and everywhere
The ceremony of innocence is drowned;
The best lack all conviction, while the worst
Are full of passionate intensity.

Surely some revelation is at hand;
Surely the Second Coming is at hand.
The Second Coming! Hardly are those words out
When a vast image out of Spiritus Mundi
Troubles my sight: a waste of desert sand;
A shape with lion body and the head of a man,
A gaze blank and pitiless as the sun,
Is moving its slow thighs, while all about it
Wind shadows of the indignant desert birds.
The darkness drops again but now I know
That twenty centuries of stony sleep
Were vexed to nightmare by a rocking cradle,
And what rough beast, its hour come round at last,
Slouches towards Bethlehem to be born?

Interesting that this was written soon after the first World War had ended. I am tempted to research and see if I can find evidence of bias towards those who show a lack of conviction — ones who look before leaping.

The most famous line here “The best lack all conviction, while the worst are full of passionate intensity” is cited in a personal appeal by Jimmy Wales, Wikipedia’s founder, on the Dunning-Kruger effect.

The unskilled therefore suffer from illusory superiority, rating their own ability as above average, much higher than it actually is, while the highly skilled underrate their abilities, suffering from illusory inferiority. This leads to the situation in which less competent people rate their own ability higher than more competent people.

No conclusion is provided by Wales other than what the research shows on its own. He brings up various types and forms of bias but leaves out the role of historical events such as World War I.

History, Poetry, Security

Eleventh hour of the eleventh day of the eleventh month

Leave a comment

Today marks Armistice Day, the 1918 surrender of Germany that ended hostility on the Western Front in World War I.

It also is known as Veteran’s Day in the US, thanks to sentiment from Kansas, as I have written before.

Poppies are used for remembrance in reference to one of the most heavily contested areas of Europe, Flanders, which sits between French, German and British control. The flowers grew all around the battlefields and expanding cemeteries of Belgium.

A poem called “In Flanders Fields” was written by Canadian Colonel John McCrae while fighting there and published in 1915:

In Flanders fields the poppies blow
      Between the crosses, row on row,
   That mark our place; and in the sky
   The larks, still bravely singing, fly
Scarce heard amid the guns below.

We are the Dead. Short days ago
We lived, felt dawn, saw sunset glow,
   Loved and were loved, and now we lie,
         In Flanders fields.

Take up our quarrel with the foe:
To you from failing hands we throw
   The torch; be yours to hold it high.
   If ye break faith with us who die
We shall not sleep, though poppies grow
         In Flanders fields.


Poster from the Canadian War Department

The reference to crosses is not universal for more reasons than one might expect. Today the German news points out that some of the dead are treated differently from the other casualties in Flanders.

The Langemark cemetery is the final resting place of 44,294 German soldiers. More than half of them are buried in one mass grave, the Kameraden Grab, their names etched on large dark plaques running alongside the site.

[Andre de Bruin, a World War I guide and founder of Over The Top Tours] points to rows of gravestones that lie flat on ground, explaining: “Belgium imposed very strict restrictions on German memorials. Headstones were not allowed to stand, not like those of the Commonwealth soldiers and there were many other rules that applied only to Germans.”

There were hundreds of burial sites of German soldiers after 1918 but in the 1950s, Belgium ordered that the bodies be regrouped in no more than four sites, of which Langemark is one.

“It was probably done out of hatred for what happened, especially during World War II when Belgium was occupied. They even forbade the use of crosses above the headstones,” de Bruin said.

Poetry, Security

Children of Wealth in Your Warm Nursery

Leave a comment

by Elizabeth Daryush, as mentioned in Poetry Magazines

Children of wealth in your warm nursery,
Set in the cushioned window-seat to watch
The volleying snow, guarded invisibly
By the clear double pane through which no touch
Untimely penetrates, you cannot tell
What winter means; its cruel truths to you
Are only sound and sight; your citadel
Is safe from feeling, and from knowledge too.

Go down, go out to elemental wrong,
Waste your too round limbs, tan your skin too white;
The glass of comfort, ignorance, seems strong
To-day, and yet perhaps this very night
You’ll wake to horror’s wrecking fire­your home
Is wired within for this, in every room.

Poetry, Security

ASP.NET Padding Oracle Attack

Leave a comment

Cryptographic keys can be stolen from ASP.NET web applications by modifying cookies and reviewing the resulting errors — an information disclosure vulnerability from a side channel attack. This video shows the Padding Oracle Exploit Tool (POET) in action:

Details can be found here: Padding Oracle Crypto Attack (POCA)

The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application’s crypto API.

[…]

If the padding is invalid, the error message that the sender gets will give him some information about the way that the site’s decryption process works. Rizzo and Duong said that the attack is reliable 100 percent of the time on ASP.NET applications, although the time to success can vary widely. The real limiting resources in this attack are the speed of the server and the bandwidth available.

They say the longest attack time so far has been just 50 minutes. They do not say what the longest time is to fix a site and prevent the attack path.

Microsoft is investigating and discussing a fix. Since it is an information disclosure vulnerability I expect they will enhance the ability to redirect or completely suppress errors. They also may add some randomness of errors to reduce timing attacks — attempts to guess information by the time it takes to respond. Either way, it was already a best practice to suppress errors to prevent information disclosure.

Edited to add (Sep 28th):

  1. Here is a great introduction to Padding Oracle Attack, including Python code
  2. Microsoft has released a patch, which has to be manually installed from their download center. They also give the following recommendations, as I predicted above:

Until the patch has been installed, administrators should configure servers to only respond with a single error page, meaning that all server errors should return the same error page so that an attacker would not be able to determine which part of their request was deciphered properly. In addition to this, modify the Page_Load() function within the custom error page to pause for a short random sleep delay before sending the error response.

Administrators should watch for errors with the following message: “CryptographicException” and/or “Padding is invalid and cannot be removed” as these could be an indicator that an attacker may be trying to exploit this vulnerability against an IIS server.