Security researchers are applying software reliability models to vulnerability data, in an attempt to model the vulnerability discovery process. I show that most current work on these vulnerability discovery models (VDMs) is theoretically unsound. I propose a standard set of definitions relevant to measuring characteristics of vulnerabilities and their discovery process. I then describe the theoretical requirements of VDMs and highlight the shortcomings of existing work, particularly the assumption that vulnerability discovery is an independent process.

Improving vulnerability discovery models

Network intrusion detection systems are themselves becoming targets of attackers. Alert flood attacks may be used to conceal malicious activity by hiding it among a deluge of false alerts sent by the attacker. Although these types of attacks are very hard to stop completely, our aim is to present techniques that improve alert throughput and capacity to such an extent that the resources required to successfully mount the attack become prohibitive. The key idea presented is to combine a token bucket filter with a realtime correlation algorithm. The proposed algorithm throttles alert output from the IDS when an attack is detected. The attack graph used in the correlation algorithm is used to make sure that alerts crucial to forming strategies are not discarded by throttling.

Strategic Alert Throttling for Intrusion Detection Systems

Now I can finally tell my non-technical friends and family what my company does.

New Unit of Reviewed Code Quality

Jeff Jarvis:

I believe the killer social graph app will be the one that sniffs and understands our relationships without our having to take explicit action or by exploiting the actions we take for different reasons.

The killer app is an exploit.

The internet is the social network

A unique robotic snake developed by Plymouth-based Merlin Robotics working alongside Nottingham Trent University is to go on display at the London Science Museum’s DANA centre in April 2008.

The vertical snake, designed to function as an interactive artwork, includes two technologies which Merlin claims are a world first. The muscle activation technology uses built-in air valves which enable greater control and scope for movement. The snake’s absolute optical position linear sensors are bus addressable and less susceptible to magnetic interference. The mechanism can also be implemented into commercial applications.

The snake was first unveiled at the Emergent Objects & Performance Design Symposium, funded by the Arts and Humanities Research Council (AHRC) and the Engineering and Physical sciences Research Council (EPSRC).

Dr Philip Breedon of the College of Art and Design at Nottingham Trent University said: ‘Merlin Robotics have been excellent partners to work with. Their approach and experience related to soft robotics enabled us to explore and develop challenging new ideas and concepts in advanced robotics. Merlin continues to provide excellent technical support as we further refine and develop this project.’

Robot snake goes on display

In every ISP's engineering group there invariably lurks a list of those tasks that lie just a little a bit beyond the normal day to day activity of reacting to events as they happen. For many the item "IPv6??!! has been on this "to do" list for some years, if not for the entire lifetime of the ISP itself! This particular task falls into the category of being large enough that there's never normally enough time to put aside to work on it in between all the other day to day tasks, but its not important enough on any day to push the task to the top of the priority stack. So instead it resides on this "to do" list for year after year. This seemingly endless deferral of core engineering for IPv6 appears to be a pretty typical scenario at the moment across the Internet. A look at the IPv6 inter-domain routing table at the moment reveals some 900 unique Autonomous System numbers (AS's), or 900 networks that are publicly routing IPv6, while there are some 27,300 equivalent AS entries in the IPv4 Internet. So there are still a fair number of networks for whom turning on IPv6 remains something to do tomorrow, or possibly the day after.

But is switching on IPv6 support in the network really such a hard task? What does it take to turn on IPv6 in your network?

You might be asking, before you've clicked through, what is Tui?

Tui is an appliance for Internet connected networks to use to connect their IPv6 cloud to other IPv6 clouds over IPv4 best paths.

Tui is also a Teredo and 6to4 relay, to provide efficient tunnelled connectivity to end users of an IPv4-only access network.

Also:

The Tui (Prosthemadera novaeseelandiae) is an endemic passerine bird of New Zealand. It is one of the largest members of the diverse honeyeater family.

IPv6 Transition Tools and Tui

Could lessons learned from Mother Nature help airport security screening checkpoints better protect us from terror threats?

The authors of a new book, Natural Security: A Darwinian Approach to a Dangerous World, believe they can -- if governments are willing to think outside the box and pay heed to some of nature’s most successful evolutionary strategies for species adaptation and survival.

Lessons from evolution applied to national security and other threats

PUT the pedal to the metal in the XH-150—a souped-up Saturn Vue—and watch the instruments. Sure enough, the speedometer shoots up in a satisfactory way. But an adjacent dial shows something else: the amount of charge in the car's capacitors is decreasing. Ease off the accelerator and as the speedo winds down the capacitors charge up again.

Such a capacitor gauge could become a common sight on the dashboards of the future. A capacitor can discharge and recharge far faster than a battery, making it ideal both for generating bursts of speed and for soaking up the energy collected by regenerative braking. AFS Trinity, a company based in Washington state, has turned that insight into a piece of equipment that it has fitted into an otherwise standard production model as an experiment. The result—the XH-150—was unveiled at this year's Detroit motor show.

In fact the XH-150 is a three-way hybrid, employing a petrol engine and conventional lithium-ion batteries as well as its special capacitors. An overnight charge gives it an all-electric range of 40 miles (60km), after which the petrol engine needs to come into play. AFS Trinity says the vehicle is capable of more than 80mph and returns the equivalent of 150 miles per gallon (more than 60km/litre) in normal use. Edward Furia, the firm's chief executive, reckons the extra kit would add around $8,700 to the price of a petrol-only vehicle were it put into mass production.

This, however, may be only the start. Eventually, the so-called ultracapacitors on which the XH-150 is based may supplant rather than merely supplement a car's batteries. And if that happens, a lot of other batteries may be for the chop, too. For it is possible that the long and expensive search for a better battery to power the brave, new, emission-free electrical world has been following the wrong trail.

Electricity storage: Ne plus ultra | Economist

Humans weren't made for scrolling and searching. We were made for zooming.

What MemeStreams needs is a zoom interface. Also, I need a big-screen multitouch display.

Like A Super Hero

From Paul Graham and Robert Morris:

This site is about Arc, a new dialect of Lisp. It's unfinished, but usable, so we decided to release what we have so far.

The current version compiles into MzScheme and structurally is as much a skin on MzScheme as a separate language. For example, Arc's read is MzScheme's, and so are Arc's numbers and math operations. But from the average programmer's point of view, Arc is no more similar to Scheme than any two Lisp dialects are to one another.

Arc is designed above all for exploratory programming: the kind where you decide what to write by writing it. A good medium for exploratory programming is one that makes programs brief and malleable, so that's what we've aimed for. This is a medium for sketching software.

It's not for everyone. In fact, Arc embodies just about every form of political incorrectness possible in a programming language. It doesn't have strong typing, or even type declarations; it uses overlays on hash tables instead of conventional objects; its macros are unhygienic; it doesn't distinguish between falsity and the empty list, or between form and content in web pages; it doesn't have modules or any predefined form of encapsulation except closures; it doesn't support any character sets except ascii. Such things may have their uses, but there's also a place for a language that skips them, just as there is a place in architecture for markers as well as laser printers.

To the extent we can influence whatever customs are associated with Arc, we'd like to propose three principles.

Number one, expect change. Arc is still fluid and future releases are guaranteed to break all your code. In fact, it was mainly to aid the evolution of the language that we even released it.

Second, we'd like to encourage a sense of community among Arc users. If you have a question or a suggestion, share it with everyone in the forum. And if you know the answer to a question you see in the forum, help out whoever posted it by replying. Be nice; if someone's being a dick, don't let the anonymity of forums tempt you to reply in kind.

And finally: It's not a coincidence that we wrote a language for exploratory programming rather than the sort where an army of programmers builds a big, bureaucratic piece of software for a big, bureaucratic organization. Exploratory programming is the fun end of programming, and we hope that will be the guiding principle of the Arc community.

Arc: A Medium for Sketching Software