Wednesday, September 30, 2009

Spam and Google Wave

After a bunch of Googling around I can find very, very little information on how Google Wave intends to handle the spam problem. A search for 'spam' on the Wave Protocol site yields no results at all. Searching the Google Wave API group for spam yields six unhelpful results. A search of the Wave Protocol group yields a single discussion with eight posts.

In a discussion reported on TechCrunch there was a mention of using whitelisting for spam control in Google Wave:

Q: This seems like this will replace email –but can it really replace all we love about email?

Lars: We think of email as an incredibly successful protocol. Google Wave is our suggestion for how this could work better. You can certainly store your own copy by way of the APIs and with the extensions. The model for ownership — it’s a shared object, so how do you delete the object? Even though it’s a shared object, no one can take it away from you without your consent. There will eventually be reversion to sync up with the cloud or you own servers. We’re not planning on having spam in wave (laughs). Early on in email, spam wasn’t really taken into account, so we benefit from that learning experience. We’re planning on a feature so that you can’t add me to your Wave without being on a white list.

Well, whitelisting doesn't work because people need to receive unsolicited messages from people they don't know. For example, I get lots of messages about my book, or my open source software. I can't whitelist those people before they contact me.

And it's not just me, but businesses need to receive unsolicited mail from potential customers (or even their own customers). Whitelisting simply doesn't work.

Having dealt with spam for a long time, they are going to have to come up with a better answer than that. Otherwise a botnet master is going to run a wave server on every bot and started posting spam waves (or worse, waves that appear legitimate and turn into spam waves) to everyone.

I suspect the answer is that it turns out to be the same mix of technologies used for email spam: messsage hashing, content analysis, sender reputation, IP blacklisting, ...

Tuesday, September 29, 2009

Solving the XSS problem by signing <SCRIPT> tags

Last week I talked about JavaScript security at Virus Bulletin 2009. One of the security problems with JavaScript (probably the most insidious) is Cross-site Scripting (which is usually shortened to XSS).

The basic defense against XSS is to filter user input, but this has been repeatedly shown to be a nightmare. Just yesterday Reddit got hit by an XSS worm that created comments because of a bug in the implementation of markdown.

I believe the answer is for sites to sign the <SCRIPT> tags that they serve up. If they signed against a key that they control then injected JavaScript could be rejected by the browser because its signature would be missing or incorrect and the entire XSS problem would disappear.

For example, this site includes Google Analytics and here's the JavaScript:

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ?
"https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost +

<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-402747-4");
} catch(err) {}</script>

Since I chose to include that JavaScript I could also sign it to say that I made that decision. So I could modify it to something like this:

<script type="text/javascript"
var gaJsHost = (("https:" == document.location.protocol) ?
"https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost +

<script type="text/javascript"
try {
var pageTracker = _gat._getTracker("UA-402747-4");
} catch(err) {}</script>

The browser could verify that everything between the <SCRIPT> and </SCRIPT> is correctly signed. To do that it would need access to some PK infrastructure. This could be achieved either by piggybacking on top of existing SSL for the site, or by a simple scheme similar to DKIM where a key would be looked up via a DNS query against the site serving the page.

For example, could have a special TXT DNS entry for which would contain the key for signature verification.

To make this work correctly with externally sourced scripts it would be important to include the src attribute in the signature. Or alternatively an entirely new tag just used for signatures could be created to sign the HTML between the tags:

<sign sig="068dd60b18b6130420fed77417aa628b">
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ?
"https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost +

<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-402747-4");
} catch(err) {}</script>

Either way this would mean that JavaScript blocks could be signed against the site serving the JavaScript completely eliminating XSS attacks.

Note that in the case of externally sourced scripts I am not proposing that their contents be signed, just that the site owner sign the decision to source a script from that URL. This means that an XSS attack isn't possible. Of course if the remotely sourced script itself is compromised there's still a problem, but it's a different problem.

Monday, September 28, 2009

How to fail at journalism

During the period I was campaigning for the Alan Turing apology I was described inaccurately in the press in various ways (this stopped when I told the press how to describe me). But recently a wonderful piece of total inaccuracy has come to light in an article for the Party for Socialism and Liberation:

After a decades-long struggle, led by Turing’s friend and biographer John Graham-Cumming [...]

Wow, four major errors in one small phrase.

1. I was born years (make that years and years) after Alan Turing died. How exactly does that make me his friend?

2. I am not his biographer.

3. There was no struggle, I started an online petition and worked on it in my spare time.

4. And that decades-long struggle lasted a full... 37 days.

Friday, September 25, 2009

Geek Side Trip: CERN

While over in Geneva for the Virus Bulletin 2009 conference I managed to make a side trip to see CERN. It turned out to be a great afternoon because the tour was guided by actual physicists and I took a school trip.

I am a little old for it, but when I organized my trip I was told that I would be added to a group from Steyning Grammar School. There I was with 23 final year A-level students on a whirlwind trip to Switzerland. They were extremely nice kids, and I could easily imagine that teaching such a group would be incredibly rewarding.

The visit started with a talk and a film. This told the story of CERN itself (it's almost 55 years old) and described the operation of the Large Hadron Collider.

Here's what part of the LHC looks like (this is a mock-up). The large blue thing is one of the super-conducting magnets. There are 1,232 of these in the 27km ring, each weighs about 27 tonnes.

After that we were bussed over to where the superconducting magnets used in the LHC are received and tested. This involves cooling them down to very close to 0 K (actually 1.7 K), turning on the pair of magnets and inserting a rotating rod inside the two tubes where the particle beam will pass.

Here's a view of a slice through one of the magnets. The two tubes in the middle are where the particle beams pass. The tubes contain a hard vacuum and are surrounded by super-conductors that form the magnet. The entire thing is bathed in liquid helium by a network of pipes.

The rotating rods inserted to test the magnets contain coils that have an electric current induced in them. Measuring the electric current it's possible to confirm that the magnetic field inside the tubes is perfect. The magnetic field is what bends the counter-rotating beams slightly so that they end up tracing out a circle.

This is a detail of one of the particle bean tubes with the valve used for maintaining the hard vacuum. I was surprised how small it was.

And here's a shot of a single dipole magnet ready to be attached to the test apparatus.

And if you are going to move one of those around you need a robot. This one floats around on an air cushion.

To join the magnets together in the circle you need a flexible coupling. The Bulgarian physicist who showed us this bit explained how the magnets were coupled and soldered together: 125,000 separate joints! This is where the LHC failure occurred.

As well as the magnets for bending the beam the beam has to be accelerated. That's achieved by one of these:

And to keep the beam focussed you need another sort of magnet (I don't have a picture of those, but there are 392 of them).

After all that we headed over to the AMS which is a satellite that will be attached to the International Space Station. The highlight of that part was that the designer of it (and friendly Italian man called Giovanni Ambrosi) was on hand to explain what he'd been up to for the last 15 years.

POPFile v1.1.1

The cool team that manages the POPFile project (that I started what seems like years ago...) have just released v1.1.1 with a bunch of improvements (especially for Windows users).

From the release notes:

1. New features

You can now customize Subject Header modification placement (head or tail)
by changing the new option 'bayes_subject_mod_pos'. (ticket #74)

NNTP module now caches articles received with the message number specified.

You can now jump to message header/message body/quick magnets/scores in the
single message view by clicking links on the head of the page. (ticket #77)

You can now filter messages shown in the history using 'reclassified' option.
(ticket #67)

2. Windows version improvements

The minimal Perl has been updated to the most recent 5.8 release. Since this
release of Perl only officially supports Windows 2000 or later POPFile 1.1.1
may not work on Windows 95, Windows 98, Windows Millennium or Windows NT. The
installer will display a warning message explaining that POPFile may not work
properly on these old systems.

The Windows system tray icon's menu now offers options to visit the support
website and check for new versions of POPFile.

If the automatic version check feature has been turned on (via the Security tab
in the User Interface) then the system tray icon will change and a message box
will be displayed. This check is performed once per day.

Now that all known problems with the system tray icon have been fixed it will
be enabled by default in new installations. (ticket #106)

The Windows installer now preselects the relevant components when upgrading or
modifying an existing installation. (tickets #13 and #26)

The Windows installer can now display the UI properly even if the database is
very large (tens of MB). (ticket #109)

Fixed a problem that POPFile does not work on Japanese Windows when the path
of the data directory contains non-ASCII characters (e.g. the user name is
written in Japanese). (ticket #111)

The installer is now compatible with Windows 7.

3. Mac OS X version improvements

The installer for Mac OS X 10.6 (Snow Leopard) has come.
Since Snow Leopard includes Perl v5.10.0, the Perl modules which are supplied
with the POPFile installer v1.1.0 or earlier aren't compatible with it.

Starting with this version, two versions of installer will be released.
One is for Snow Leopard, and another is for the former versions of Mac OS X.
The name of Snow Leopard installer will have '-sl' suffix.

4. Other improvements

The users who are using very large database (tens of MB) will be able to
reclassify messages faster. (ticket #108)

JavaScript must die

I've just completed my presentation at Virus Bulletin 2009 which was entitled JavaScript Security: The Elephant running in your browser.

My thesis is that the security situation with JavaScript is so poor that the only solution is to kill it. End users have very little in the way of protection against malicious JavaScript, major web sites suffer from XSS and CSRF flaws, the language itself allows appalling security holes, and as data moves to the cloud the 14 year old JavaScript security sandbox becomes more and more irrelevant.

Here are the slides:

Tuesday, September 22, 2009

The Geek Atlas: now on your iPhone

Today, O'Reilly released my book, The Geek Atlas, as an iPhone application. It's the complete text of the book on the iPhone. Since the book is organized as small chapters it's very readable on a small screen.

The neatest feature is that latitude and longitude given for each place in the book is clickable and takes you straight to that location on Google Maps.

And it's only $5.99 or £3.49.

Forty two days of Hacker News karma

For a bit of fun I set up a cron job grabbing the Hacker News leaders table. After 42 days of running I pumped the resulting HTML through a little Perl script and then into Apple Numbers for some analysis.

Just picking the people who had greater than 5,000 karma on August 12, 2009 some patterns emerge. Especially the rise and rise of edw519 who is closing in on nickb. edw519 is adding an average of 108 karma points per day.

Other users who are moving fast are patio11 (adding 59 per day) and jacquesm (adding 83 per day). I don't appear on the graph because I had below 5,000 karma when I started the script.

Sunday, September 20, 2009

Power bricks I have known and loved

Power bricks are the cockroaches of consumer electronics: they're ugly, simple and seem to survive everything. I've got a collection of power bricks for now dead or gone equipment that happily keep pumping out volts.

So, I figured that I would catalogue them to see what I had lying around.

I won't bore you with the complete catalogue, but the output voltages are interesting (these are the rated voltages, and not measured): 24.5, 24, 20, 20, 19, 12, 12, 12, 12, 9, 9, 8.4, 8, 6.5, 5.9, 5.1, 5, 5, 5, 5, 3.6.

I guess I don't need a fancy bench voltage generator regulator!

Friday, September 18, 2009

Yet more rubbish UI design on a telephone

What is is about telephones that inspires such awful design? Is it any wonder that the iPhone is a success? It must have been like shooting fish in a barrel to design a phone that works (if you happen to be Apple).

My desk phone is a Cisco IP Phone 7960 Series which is apparently "designed to meet the communication needs of professional workers in enclosed office environments--employees who experience a high amount of phone traffic in the course of a business day".

Right now I've got voicemail. This is shown by a big red thing glowing on the handset and a message that says "You Have VoiceMail" on the display, and a flashing envelope symbol.

Right next to the flashing envelope is a soft button. Since it's pointing to the envelope, doesn't it seem like that should take me to voicemail? Well, it did to me, at least, but nope, it's the equivalent of pressing the "PickUp" button and asks me what number I want to dial.

And then, why, when I get into voicemail, do I have to use the number keys to navigate and not all the nice soft keys on the phone? For crying out loud.

I'm hiring in Central London

My stealth start-up is looking for a very experienced JavaScript developer to work on our open source code base that has a potentially very significant industry impact. You'll be joining a team of two working on cutting edge JavaScript code designed to change the way the way online optimization software tools are deployed. You'll need to be very familiar with jQuery, YUI and other JavaScript technologies. You'll need to think that testing your code is vital. You'll write small, fast, clear, maintainable code.

The company is funded by a top-tier West Coast VC, is very well positioned in the space and has influential contacts. But the successful candidate's professional JavaScript skills, credibility in communications, energy, and ability to influence, will collectively all be critical to the success of this industry initiative.

Critically, you'll also be a good communicator. This role combines both hands-on development with evangelism. You should be comfortable blogging, answering developer questions on a mailing list, standing up at a conference and giving a presentation, and attending high-level customer meetings.

You'll have experience with one or more web analytics tools and be interested in keeping an eye on the market for online marketing and user experience software tools. Perhaps you'll also have worked for an online advertising service, or other company that needs to instrument web sites with JavaScript.

You'll be familiar with Flash and interested in learning about other technologies like AIR and Silverlight.

Ideally you'll have a bachelors degree in computer science (or something similar) and five years of real programming experience.

First test is to figure out how to contact me.

Monday, September 14, 2009

Back to normal life... time for an official release event for my book, The Geek Atlas

Now that the dust has settled on my Alan Turing petition with the phone call from the Prime Minister, it's back to normal life for me. Part of that's a book release event for The Geek Atlas.

If you are in London on Saturday, September 19 and fancy meeting me (for whatever strange reason!) then come join me at the Brunel Museum at 1400.

Full details of the event are here.

Friday, September 11, 2009

"Hello John. It's Gordon Brown."

Last night the British Prime Minister Gordon Brown issued a long statement about my Alan Turing petition that included a clear apology for his treatment. Unfortunately, I've been in bed nursing the flu so it was only by chance that an amazing sequence of events occurred.

Yesterday evening I realized that I had to check my email (I'd been avoiding it while ill) because of a work commitment on Friday and so I logged in to find a message that read:

John - I wonder if you could call me as a matter of urgency, regarding your petition. Very many thanks!


Kirsty xxxxxxx
10 Downing St, SW1A 2AA
Tel: 020x xxxx xxxx

So, I called back. The telephone number was the Downing Street switchboard and after Kirsty told me that the government was planning to apologize for Alan Turing's treatment she then said "Gordon would like to talk to you".

A few minutes later the phone rang and a soft Scottish voice said: "Hello John. It's Gordon Brown. I think you know why I am calling you". And then he went on to tell me why. He thanked me for starting the campaign, spoke about a "wrong that he been left unrighted too long", said he thought I was "brave" (not sure why) and spoke about the terrible consequences of homophobic laws and all the people affected by them.

I was mostly speechless. The Prime Minister was calling me!

What no one saw was the work to make this happen. And what many don't realize is that the 'campaign' consisted of a staff of one: me. Although many people enthusiastically got the word out via Twitter, blogs and other means, I spent a great deal of time massaging the press, handling celebrities, and keeping the momentum to make it happen. One day, perhaps, I'll tell the story.

Most of the planning was done from the top deck of a London double-decker bus on the way to work. Amazing what you can do with 30 minutes of peace and an iPhone.

But what I must do is thank all 30,000 people who signed the petition, the media who ran with the story (especially the Manchester Evening News, BBC Radio Manchester, The Independent and BBC Newsnight) when it was still a small story. Thank you to all in the LGBT press that interviewed me and got the ball rolling in the first place. And thank you to the big names like Richard Dawkins and Stephen Fry who got the story out to a wide audience.

And thank you Gordon Brown. Your telephone conversation with me was heartfelt, and your apology clear and unambiguous. What a wonderful outcome!

For me, it's the end of my campaign.

But for others it is not. It's vital that Bletchley Park and the National Museum of Computing secure funding to keep them alive.

Wednesday, September 09, 2009

You don't have to be gay

Talking to the editor of a major magazine aimed at gay men it became clear that he assumed, incorrectly, that I was gay, and that that was an important factor motivating me to push my Alan Turing petition. I understand why he assumed that, but it also worries me: it makes it easy for people to assume that this is a 'gay issue'.

It's not...

You don't have to be gay to think that prosecuting a man for a private consensual sex act who just seven years before had been hailed as a hero of the Second World War was simply wrong.

You don't have to be gay to be appalled that just thirteen years after Alan Turing committed suicide the crime he committed was no longer a crime.

You don't have to be gay to think that chemically castrating a man (after offering him the "alternative" of prison) because of his sexuality is simply disgusting.

You don't have to be gay to feel the pain of the bitter irony that Alan Turing helped defeat a regime whose ideology was based on prejudice, only to find himself prosecuted because of another form of prejudice at home.

You simply have to be human.

Thursday, September 03, 2009

The world is watching, Mr Brown

As I write over 25,000 people in Great Britain have signed my Alan Turing petition. To think that I was worried about getting 500 signatures!

On Monday, the BBC posted a story about the petition and it's now gone global. My Inbox was stuffed with messages from around the world in support of the petition and expressing regret that non-Britons couldn't sign the petition.

And now the international press has picked up the story. After all, Turing was not just a British genius, he was a genius full stop. A man who deserves to be known in Britain and worldwide.

So, Mr Brown, 25,000 people in Britain (and growing by the minute) including big names such as scientist Richard Dawkins, writer Ian McEwan, human rights campaigner Peter Tatchell, philosopher A C Graying are backing the campaign. And now the rest of the world watches. Here's a selection of the worldwide press:

Here I have only included major press, there are many, many more articles in the specialist press.

Update More countries have now covered the story:

Update I now can't keep up with all the international press. If you are interested here's a suitable Google News search.

Wednesday, September 02, 2009

Dear Media People

Thank you for all the articles about Alan Turing and my petition. Just one small complaint.

Please don't call me a "top programmer", "leading British computer expert", "leading computer scientist", ...

An accurate description would be: "John Graham-Cumming, computer programmer and author of The Geek Atlas".


Alan Turing does have surviving family

One of the objections to an apology for Alan Turing is the claim that he has no family. Clearly, Alan Turing as both a gay man and as someone who was given estrogen injections doesn't have any direct descendants.

But he does have family.

Turing had an older brother and his brother does have direct descendants. One of them wrote the following note to me:

After reading about your petition on the BBC website, I thought you'd like to know that there are members of Alan Turing's family around (although not direct descendents for obvious reasons!). He was my mother's uncle. Most of the family have not retained the name due to marriage, but my step-uncle is a Turing. My family have always remembered Alan Turing proudly.

Other people wrote to say that they know of other family members. So if Gordon Brown does decide on offering an apology there are family members who could decide to accept (or reject) it.

Tuesday, September 01, 2009

An email from MI5

So I started the Alan Turing petition and I wrote to Her Majesty The Queen asking her to consider a posthumous knighthood for the man. But you didn't know that I also wrote to the Security Service (MI5) asking them to release whatever they could about the death of Alan Turing.

Here's my email:

I have been leading a campaign to get the British Government to apologize for the prosecution of Alan Turing. This campaign takes the form of a petition on the Number 10 web site (you can see if here:

Personally, I believe that Turing's death was suicide, but there are rumours about him possibly having been killed because he 'knew too much'. I find these rumours silly, but would the Security Service be willing to release whatever files it has on Alan Turing so that any information you have be made public?

It is now 55 years since Turing died, and I assume that most of what you know about him can be made public without affecting operational security.

Thank you,

Today, I received an email reply:

Dear John

Thank you for your enquiry.

All of the historical information that we can currently release is either available on our website, or is held by the National Archives

You can learn more about this history of the Security Service at the National Archives at


The Enquiries Team
The Security Service

So, first I popped over to the Security Service web site and did a search for "alan turing":

Hmm. No dice. So, it's off to the National Archives and the same search:

So, that was a complicated way of saying "No".

The 'big names' backing my Alan Turing petition

As the BBC reported scientist Richard Dawkins, writer Ian McEwan and human rights campaigner Peter Tatchell are all backing my Alan Turing petition.

If you read down the over 16,000 names on the list you'll see other celebrity names popping out, but I have not been able to confirm them. Are you a 'big name' who's backing the campaign? If so, please get in contact.

A big thank you to the 34 professors who have signed the petition, and especially to Professor Noel Sharky for having me on his podcast.

Update Just noticed a tweet from Labour MP Tom Watson about my Alan Turing petition.

Update The British philosopher A. C. Grayling just confirmed that he's signed the petition and thinks it's an "excellent idea".

Update Stephen Fry just tweeted his support.

Update Two more famous scientists on the list: Sir Roger Penrose and Sir Michael Berry.