Anthony Vance

Before moving west to BYU, my family will move east—and north—to Oulu, Finland, where we will live for six months (January—July). I’ll be working as a visiting research professor in the IS Security Center at the University of Oulu, researching with my coauthor and center director, Mikko Siponen.

Among other things, we’ll investigate whether we can devise a theoretically-based and empirically-supported security maturity model, similar to the Capability Maturity Model of software engineering.

The Information Systems Department of Brigham Young University has invited me to join its faculty, and I am delighted to do so. I’ll start researching and teaching at BYU next fall.

I think highly of BYU’s ISD department, and I look forward to collaborating with them. I also look forward to working with the students of the Information Systems major and of the Marriott School generally.

Jordan Hubbard, Apple’s Unix Technology Group director and author of “Absolute BSD: The Ultimate Guide to FreeBSD“, recently gave a presentation on the evolution of Mac OS X. It has some interesting information on the under-the-hood developments of OS X and where it will move in the future.

Mac OS X has been my favorite OS since I fell in love with the public beta in the fall of 2000. It’s a great UNIX combined with the nicest user interface I know of.

I find that the volume of news that I am interested in reading is increasing. At the same time, I am ever more conscious of my limited time. Fortunately, I’ve found a speed-reading app that helps me process news articles much faster.

Once I’ve identified a news article I would like to read using my news reader (I use Google Reader), I copy the text of the article (using a QuickSilver keystroke) to iReadFast, a free speed-reading app for Mac OS X. With it, I can comfortably read 400 words per minute without losing any comprehension. Click here or on the image below to see a small screencast of how I use iReadFast.

If the text is displayed too fast, you can is slow down. I started at 300 words per minute and have now increased it to 400. I expect to speed it up even faster as I become more accustomed to it.

I arrived in Oulu, Finland today, where I will be researching for the next three months with Mikko Siponen of the University of Oulu. I’ll be studying IT security policy compliance from the perspective of criminological theory, one of my primary research interests.

I successfully defended my PhD dissertation today, completing my PhD three years since I entered the CIS program at Georgia State University in Fall 2005. My dissertation is titled, “Trusting IT Artifacts: How Trust Affects Our Use of Technology”.

One way spammers collect email addresses is by writing web crawlers—automated programs that scan the Web—that recognize and collect email addresses. To avoid email harvesting, many people refuse to publish their email address on the Web, or try to obfuscate their email address with something like the following:

anthony AT vance DOT org

However, despite being less readable and functional (e.g., no “mailto:” hyperlink), I am doubtful whether this really fools email harvesting web crawlers. After all, the above convention is widespread and is no less difficult to programatically recognize than a real email address.

I recently found (via Daring Fireball) a better solution: HiveLogic’s Enkoder, a clever Javascript hack that doesn’t compromise readability and yet still rigorously obfuscates email address from email harvesters. My email address,

is obfuscated in Javascript as:


function hiveware_enkoder(){var i,j,x,y,x=
"x=\"783d223136663631333936635c225c5c653232323d786139325c223d78366536653636" +
"33643531366436633232363533633264363037363663363132313665363036383733363532" +
"32363574722832363937692c322934363532293b7d793832323328276436353625272b7865" +
"3734322e73756265373737735c225c5c5c5c5c5c362b3d756e343666366573636133373536" +
"706538793b5c225c5c68366636653b692b3d3739347832297b793d3b303d69323233652872" +
"6f66363136653b27273d3734363b687432653665676e656c363136642e783c693635356328" +
"72343037366f667b293631366533363d2b363336356928366537346e696d2e363836666874" +
"614d366537393d6a656e67742b692c683734366674676e65336136316c2e78722869293b69" +
"3d3d303b693e6a2d2d3c782e6c3b2933365c5c744172615c5c5c5c3b793d68632e7827273b" +
"663d2b797b6f6176653d6a3b5c223b797d7d393362333b296a283033625c22736275732e78" +
"3d783b292930287441726168632e78286c2e783c693b303d6928726f663b27273d793b2931" +
"28727474736275732e783d2b797b29383d2b693b6874676e656c6e656c2e783c693b343d69" +
"28726f667d3b29342c69287269287274736275732e783d2b797b29383d2b693b6874673b29" +
"6a287274736275732e793d797d3b29342c223b793d27273b666f7228693d303b693c782e6c" +
"656e6774683b692b3d3233297b666f72286a3d4d6174682e6d696e28782e6c656e6774682c" +
"692b3233293b2d2d6a3e3d693b297b792b3d782e636861724174286a293b7d7d793b\";y='" +
"';for(i=0;i while(x=eval(x));}hiveware_enkoder();


Nice, yes? One drawback is that Javascript must be enabled or else nothing will be displayed. Still, this is a small concession to make for being able to post my real email address without fear of increased spam. I now include my email address in my footer as follows:

I am enjoying a book called “What They Didn’t Teach you in Graduate School”, by Paul Gray and David Drew. The book is about how to have a successful career in academia as a professor. It is written in the form of short pieces of advice that recommend or warn against something.

Paul Gray is one of the pioneers of the field of Information Systems and he has a lot of great insights and suggestions to share about academia in general. You can read an excerpt of the book here.

Here’s an excerpt on the value of reviewing:

Do, however, serve as a reviewer for journals, particularly top journals. Treat this job seriously. You will see much junk being submitted and appreciate why some journals reject 80 percent or more of their submissions. You will develop an aesthetic for what is good and what is not. You will correspond with some powerful people. When you do get a good paper to review, you will receive much earlier knowledge of an important new development. And the information gained is worth more than the time you take reviewing.

In my forensics class this Monday I will talk about the disk encryption attack that Princeton researchers published in April of this year. The attack exploits the fact that data remains in RAM for up to several minutes after power to the computer is turned off. Rather than all memory being erased immediately, data in RAM quickly decays as time goes on. The Princeton research team showed that sensitive information such as passwords and disk encryption keys can be recovered from RAM after a machine is powered off. You can see a video of this attack here.

To demonstrate this attribute of RAM to my class, I will follow the simple experiment described here, but adapted to OS X:

1. Unlike other versions of Unix, as of the Intel processor switch OS X no longer has a device file for physical RAM. However, the kernel still supports such a device file. To reenable the device file for physical RAM, pass this kernel option to the boot loader as follows:

sudo nvram boot-args="kmem=1"

To verify that this kernel option was passed, type:

nvram -p | grep boot-args

You should see the following line:

boot-args	kmem=1

Note: to later remove this boot argument, type:

sudo nvram boot-args=""

2. Reboot your machine and verify that you now how a /dev/mem device file.

3. Open a terminal window, type “python” to enter the Python interpreter and enter these commands:
ram = ""
while True: ram += "MYPASSWORD"


4. The Python interpreter will run until physical RAM is so full that it cannot contain one more “MYPASSWORD” string. You can visually show students that RAM is filling up by showing the RAM pie chart in Activity Monitor. After waiting a few minutes after initiating the python command, immediately shutdown the computer by holding down the power button.

5. Wait a few seconds or minutes, depending on how much RAM decay you want to allow.

6. Turn the computer back on, open a terminal window, and type this command:

sudo cat /dev/mem > /tmp/ramdump.txt

This step will take a minute or two depending on how much RAM you have installed. Eventually the file will be as large as the amount of RAM installed. In my case, this command yields a 2 GB file.

The command will terminate with this error:

cat: /dev/mem: Bad address

This indicates that all of the contents of RAM have been copied to the /tmp/ramdump file.

7. Type the command,

grep -a MYPASSWORD /tmp/ramdump.txt

This command should then display many instances of the string “MYPASSWORD”, demonstrating that some data has remained in RAM even after power to the computer was turned off.

For those who use EnCase for forensic analysis, a powerful and convenient means of acquiring digital evidence is over the network using Linen, a Linux-based version of EnCase Acquisition. Linen is run off of a Linux boot disk on the target computer serves the an evidence file to EnCase running on the forensic examiners computer over the network. EnCase is a Windows application, but network acquistions can be successfully performed using VMware Fusion for Mac with the following configuration.

For my setup, I have a MacBook running VMWare Fusion 2.0b1 and OS X 10.5.3. I’m running Windows XP as a VM with EnCase 6.11 installed.

Note: Because Mac’s can intelligently sense and correct the Ethernet connection when one computer is connected directly to another, a cross-over cable is not required.

1. Boot the target machine using Helix or another Linux live CD that contains LinEn.

2. Once at the Linux command line, type:

ifconfig eth0 10.0.0.1 netmask 255.0.0.0


3. On the Mac, change the IP address to 10.0.0.50 and subnet mask 255.0.0.0

4. Confirm that the Mac and PC can both ping the other.

5. On the Mac, edit the VMware Fusion boot script (/Library/Application Support/VMware Fusion/boot.sh), lines 676-681 as follows:


#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
# Bridge to the primary host network interface (which can change over time).
"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 ''
;;


Change to:


#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
# Bridge to the primary host network interface (which can change over time).
#"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 ''
;;


6. restart VMware fusion

sudo "/Library/Application Support/VMware Fusion/boot.sh" --restart


4. Change the VMware Fusion network mode to Bridged networking

5. Boot the Windows XP VM and change the Windows VM IP to 10.0.0.2 and subnet mask 255.0.0.0

6. The target machine running Linux should now be able to ping the Mac and the Windows VM and vice versa.

7. Run Linen from the Linux Live CD on the target machine

8. From EnCase, acquire over a network cable.