Monthly Archives: August 2010

An export to take pride in

As a Brit, I find some of our principal exports a national shame.  We are world-leaders in armaments and in financial services.  The latter are not all bad, but much of them are substantially parasitic on the productive economy.

So I’m cheered by today’s news: high net immigration, together with lots of student visas.  It indicates we’re successfully exporting education.  Assuming a large proportion of it is legitimate higher education, it suggests the huge expansion we’ve had in the sector isn’t just dilution and dumbing-down.

In the longer term, education should have a neutral effect on net immigration.  That is to say, the number of students arriving to study should balance the number leaving after completing their studies.  A big rise in numbers therefore indicates a real expansion, and is probably due to the fall in sterling making UK costs a whole lot more competitive for foreign students.

Let’s hope our universities are building on their export success to expand their net capacity as centres of excellence.

Advertisements

cure/placebo

Went to pick my first blackberries of the season today.  Conditions were less than ideal after three days of predominantly rain, but today dawned bright and sunny.  So I went out to a stretch of footpath where I regularly see the brambles and have seen the berries ripening, but where I rarely encounter people.  Should be ideal, right?

Alas no, very poor pickings.  Evidently someone, or more likely several people, got there first 😦  Had to wade right in to the scrub to get anything half-decent.  As I got stung and shredded (a regular seasonal hazard – serves me right for wearing sandals/shorts/t-shirt) I saw another plant regularly associated with brambles and nettles: dock leaves.  And a recollection came to me from my distant childhood: dock leaves are supposed to bring relief to nettle stings and rash.

It’s a distant recollection, but they never did bring relief to me.  Over time I reached the age when one bears that level of pain in silence (hey, it’s one of the few slightly-macho things a boy can still do in our emasculated society), and learned of the placebo in biology classes.  The dock leaf is a classic placebo, right?

I don’t know where medical science stands on that one: a very quick google finds both views (not including any authoritative-looking reference).  But nettles and dock leaves surely feature in every English childhood, right?  Can a child’s reaction to dock leaves tell us anything about their personality?  Can it predict how they’ll respond to placebo, including variants such as faith-healing, in treating more serious ailments?  Or on the other hand, how they’ll respond to medically-proven remedies.  And if a correlation can be established, can that be extended to throw any light on ‘alternative’ medicines that may or may not be more-than placebo?

Hey, add some fieldwork and rigorous statistics, and this could be developed into a PhD thesis.  I expect it’s been done, but you never know!

Three in a row!

Our cheese shop has long been one of the best things in town.  It’s one of the small shops in the area immediately outside the market: a shopping and services area that’s pedestrianised during shop hours.

This week it’s been joined by two more great food shops.  Firstly the wholefood stall from the market has gone up in the world and moved into a real shop.  On the other side, the olive stall has done the same.  Both the new shops are taking advantage of their improved premises to expand their ranges a little, though it’ll be another day or two before the olive seller looks like a working shop!

That’s my three favourite specialist/luxury food shops all in a little row!  Yum!

Oh, and any foodies might like to make a pilgrimage to Tavistock for the last weekend of this month, when the cheese shop hires the town hall for its annual cheese fair.  A fantastic opportunity for the cheese-loving public (that’s me 🙂 ) to meet the producers, learn about their craft, and of course sample a huge range of cheeses, accompanied by supplements from local wine to pickle, and whatever new attractions they can bring us this year.  In common with other locals, I use this annual event to expand the range of cheeses I’ll regularly buy over the following year.

Untainting in Apache HTTPD

Back in the early days of the web, before there was ever an Apache web server, the first widely-used language for web applications was Perl.  And the Perl community took a lead in raising awareness of security issues and promoting Good Practice, notably with their treatment of tainted data and untainting.

Not everyone has followed Perl’s lead.  Applications in, for example, PHP or C, must either re-invent the security of Perl’s untainting or do without.  Or they can delegate it to mod_security, at the expense of introducing a big third-party module and quite a lot more complexity.

So, what if you could do it within Apache itself?  Well, of course, you can, up to a point.  For example, to untaint your application’s cookie:

RewriteEngine On
RewriteCond %{HTTP_COOKIE} !cookie-match-pattern
RewriteRule .* - [E=MyCookie:substitution-string]
RequestHeader set Cookie %{MyCookie}e
.

Phew!  What a hideous hack!  Actually it’s untested: I don’t even know if it’ll work, but you get the point.  Complexity is the enemy of security, and this is already horribly complex before we even start to wrestle with the match pattern and substitution.

In fact it’s worse than that.  A client can send multiple Cookie headers (or any other header).  An attacker could do that to circumvent our protection: in outline, send a ‘good’ cookie to get through our rule, together with a malicious one to attack the application.  Oops!  Well, the directives we just used weren’t designed for security: we should’ve used mod_security instead!

Providing a small, simple untainting capability has long been on my wishlist, and now at last I’ve got around to writing a first draft mod_taint, simplifying the above to:

Untaint HTTP_COOKIE cookie-match-pattern substitution-string
.

with the added bonus of folding any multiple headers into a single line, to close off the multiple-header attack we identified.  In addition to request headers, it can check all aspects of the request line, including form data (though it cannot yet parse it).

The idea is that a simple and effective untainting directive could encourage the levels of usage seen in Perl/CGI, when the community rallied behind the idea of taint-checking every web-facing script.

Actually the mod_taint default is a little different: instead of fixing an unacceptable input, it will check that the request matches an acceptable pattern, and reject the request with HTTP error status 400 (Bad Request) if it encounters an unacceptable request field.  A server admin may also set an alternative error status.

Untaint RequestField match-pattern [error-status]
.

There are of course also things mod_taint won’t do.  It won’t do anything with POST data, nor will it alert you to intrusion attempts (beyond logging them).  That’s where you definitely want mod_security!

Question: do people think this feature should be in the core distribution?  Should I drop it in to trunk, so it’ll be standard in Apache HTTPD 2.4?

The perpetual roadworks

After upwards of three months of works outside, I thought they were over.  Repeatedly.

With a bit of luck, they are indeed over.  So instead, the identical stretch of road has just been dug up by contractors for the water board, who are now doing something with subterranean pipes and valves.

AAARGH!!! 😦

Cambridge

I’ve been too busy and/or knackered to blog from Cambridge, but now I have a spare moment.

I’ve just been to Cambridge with members of the Plymouth Philharmonic choir, who went for a summer jolly and gave two concerts – one in Ely Cathedral, the other in the chapel of St Johns College.

For me, this is a nostalgia trip.  I stayed at my old college (Girton) where long ago I spent four formative years, two of them living in the main building itself.  I took the time to wander the extensive corridors and grounds, and find reassuringly that very little has changed since my day.  Except, being outside term-time, the regular students aren’t around, and the place is busy with japanese students instead.  Where there is refurbishment it’s pretty superficial (carpet, lighting) and definitely not an improvement: the new lights are motion sensitive, and rather uncomfortably bright compared to the old ones.

In-town is also of course a nostalgia trip.  Apart from St Johns (which is one of the colleges I knew reasonably well, having had friends there as a student, sung in the chapel, dined in the hall, and partaken of the joys of a far better cellar than Girton could boast), I wandered the grounds of several other colleges.  But the summer is not a good time for this: many of the best places are closed against the tourist hordes (and you can see why, as you do battle against the crush to get from A to B).  My camcard got me past basic guards, and notably spared me touristy entrance charges, but only up to a point.  Clearly better to revisit in term-time.

One observation was that I really felt surrounded by academia.  Strikingly so.  Of course in my youth I really was at the heart of academe, but there was nothing striking about it: this was just the natural environment to be in after leaving school on an academic life path.  Or if you prefer, career path, though it’s been a big downhill since Cambridge.

Also in Cambridge, I went out for two nice meals.  One with pctony, at a veggie place he recommended and which turned out excellent: I need to find excuses to work through much more of their mouthwatering menu.  The other with the choir at a Cafe Rouge: again a very pleasant meal.  I think Cambridge restaurants have improved since my time, but it’s a little hard to judge because my budget back then wouldn’t have extended to these places.  Saw, but didn’t eat at, an old favourite: the old fire engine house in Ely.

In a final twist of nostalgia, I wandered down to the site of my old department (DPMMS) and main lecture halls, and found that the site and building of DPMMS from my time now appears to host CARET, pctony’s workplace!  I even recognised the carpark onto which the Part III (basement) room’s window opened, and recollected how we would curse drivers who ignored the signs telling them to park forwards, and pointed their exhausts straight into our room.

I must revisit in term time.  I even have a should-visit excuse: my oldest nephew is now an undergraduate!  Though I expect a young chap of his age to have better things to do with his time than entertain an old uncle.