Tuesday, November 20, 2012

Leveraging Social Media When Engineering Tomorrow's Cyber Solutions

G2's Emerging Presence Online

At G2, we recognize that the most valuable cyber solutions begin with

meaningful collaboration.  On any given day, you can find our
engineers huddled around whiteboards solving the federal
government's most difficult cyber challenges.  Whether we're working on malware analysis, big data analytics, or security automation, G2
is committed to removing the barriers between its engineers and the broader cyber community. We believe that today's cyber engineer can interact with his or her peers in more productive ways, when leveraging the power of social media.

At this year's Social Media Strategies Summit (hosted by @gsmionline)industry experts discussed how companies and employees can interact with others well beyond their existing networks.  Conference speakers
like Jennifer Cohen Crompton, Glenn Selig, and Patrick Baynes spoke on topics like search engine optimization (SEO) and developing meaningful content.  They stressed the fact that thoughtful preparation (using industry-specific terminology, high-frequency search terms, and stimulating subject matter) can lead to greater visibility on social media sites.  By leveraging this strategy when tweeting, updating linkedin, and blogging, a software engineer in Ft Meade, MD can collaborate with a computer scientist at Google to produce tomorrow's computer network defense systems. Facebook, LinkedIn, and Twitter to help our engineers lead innovative discussions with other SMEs. While we are committed to sharing useful content via social media, we encourage our employees, industry colleagues, and friends to actively participate in the dialogue.

In summary: know your audience, create valuable content, connect & collaborate.

What types of cool techniques are you using to expand your online footprint?? We're listening!

Sunday, November 11, 2012

An Open Letter to Our Nation's Veterans

Today I enjoyed a wonderful day with my oldest daughter Madeleine.  The highlight of our day was a walk in the woods which ended with a beautiful Eastern Shore sunset.   
Today, I am reminded that this simple pleasure was possible only because of the selfless service of so many men and women who committed their lives to serving our Country.  
To our Vets, I thank you for all that you have done to defend our great Nation.  Your commitment is what guarantees our freedom.  
We are all indebted to you.  From the entire G2 family, thank you.
- Paul Green, CEO

Friday, October 12, 2012

Whither 3D Printers?

By:  E.S., Software Engineer @ G2

Seems as though the market is quietly bring forward more and more 3D printers; as I sit and watch I feel a real trend forming, slowly, one plastic droplet at a time ...
Its sure looking like 3D printing is here to stay, and that its just about to hit the mass market with consumer-level pricing right around the corner.
With all that creativity now possible, and new products and markets that it will create, I can't help to wonder about the security implications that will come along with it. What if it were possible to 'print' a small robot, electrical circuits and all? When you're not home your 3D printer could be hard at work doing a hacker's bidding, printing bot after bot, programmed to deliver the contents of the inside of your house to the waiting moving van the hacker has parked just outside.
How about tiny bots that can be printed without your knowledge, inside your most inner sanctum, complete with high def lens and covert wireless network connection?
Or a swarm of nanobots designed to deliver a payload into a person's body without them knowing?
I wonder what great and and sometimes terrible things humans will come up with when it comes to any technology, especially ones that merge the virtual and physical worlds ...
But for now, we get to print iPhone cases and other things made of plastic, only. Its intruguing technology even at this stage.

Mobile and Your Projects

 By:  M.K., Senior Software Engineer @ G2

I'd like to ask everyone to think about how mobile computing could be incorporated into the projects you are working on.  Ignore for the moment whether or not mobile will ever get approved for use on those projects and just focus on how mobile devices could be used.
When thinking about mobile design here are few concepts to keep in mind:
User Context - mobile devices are used in a lot of different contexts.  Users may be walking, driving, talking with friends, or doing a myriad of other tasks.  They may not be focusing 100% of their attention on the device.  Users often want to get into the system, perform 1 or 2 tasks and get out.  The focus should be on accomplishing specific tasks, not necessarily on providing every possible option to the user.
Spatial Relationships - mobile devices are not tied down to a set location like traditional PCs.  There are a plethora of spatial cues that a mobile device can use: GPS location, WiFi network, accelerometer, heading, proximity to other devices to name a few.  Which of these cues can be used to enhance your  application and provide a better user experience?
Synchronization - mobile devices are only part of the picture.  Users may be switching between different mobile devices, desktops and other platforms.  Intelligently transferring the information between platforms and enabling users to pick up and continue working between devices is an important capability.
Complimentary design - mobile devices may not be the best option to accomplish a task.  There are some situations where a certain class of mobile device may not be the best place to do something.  When designing applications to work across multiple platforms you should first focus on providing the most useful and appropriate interactions on the various devices.  There may be tasks that you choose not to enable on a mobile phone but do enable in the desktop, web, or tablet versions.  When used properly in conjunction with synchronization lack of a feature on a platform is not necessarily a shortcoming, especially if enabling that feature degrades the rest of the user experience.
The most important thing is that if we don't think about how to enable mobile interactions in our projects someone else will.  Mobile device usage is going to continue to grow, and ignoring it because we don't think it will ever be used in our projects isn't really an option. 

The 'then' and the 'now'

By:  B.Y., Software Engineer @ G2

I recently read an article that dated back to 1999 involving an interview with Ken Thompson. For those of you who don't know who he is he created the B programming language, helped develop the C language, worked on the founding UNIX development, was an avid security professional, and lead the work for distributed operating systems such as PLAN 9 (in most ways my idol). His work laid the foundation for most of what we work on today. In that article he spoke on a few key topics and I wanted to share some afterthoughts given the current state of the Computer Science field (and no I won't regurgitate the article for you).
History Repeats Itself
I find it humorous that now, 13 years later, most points in the article are still present today; at the core being that history repeats itself. This is wholely apparent in the 'cloud' push many of us are involved in. What project or solution is going to give rise again that has already been discovered? Perhaps we could use early research (circa 1980's) to glean ideas for future projects. Has technology changed enough to inflict new thought on old paradigms?
Thought Process
It seems there are two fundamental paradigms in which we, as computer scientists / software developers, think. There is the classic top-down approach and the age-old bottom up. In dealing with an end goal it seems to take a culmination of both types to wholely finish a succinct project. I can personally attest to this given a research project I'm working with Erik S., James B., and Scott W. If not for the culmination of us bottom-up thinks coupled with some crazy top-down guys, we might have missed key interleaving aspects.
Teaching the Core
As some of you may know this is one topic I'm extremely interested in. Ken wrote "I think that computer science in its middle age has become incestuous: people are trained by people who think one way. As a result, these so-called orthogonal thinkers are becoming rarer and rarer." I wholeheartedly agree and posit that this statement still stands today, if not worse. This poses an even greater challenge to those of us 'orthogonal thinkers' collecting here at G2 nowadays to get our 'crazy' voices heard of the humming noise that is complacency.
Simple is Beautiful
Ken said it best: "The aggressive use of a small number of abstractions is, I think, the direct result of a very small number of people who interact closely during the implementation. It's not a committee where everyone is trying to introduce their favorite thing. Essentially, if you have a technical argument or question, you have to sway two or three other people who are very savvy. They know what is going on, and you can't put anything over on them." This is more apparent now given the gross number of people pulling the wool over each others' eyes to get what they want. It also speaks to group dynamic and size; a fact that could be a boon for project management. Sometimes the old UNIX adage is correct, less is more.
Anyways, that is the end of my odd rant in case any of you were wondering when I would stop typing. Hope you enjoyed!

For those of you crazy enough to check my references:

Tuesday, September 11, 2012

Apple Win Over Samsung

By: M.K., Senior Software Engineer @ G2

On Friday the jury in the latest Apple -vs- Samsung case found that Samsung did intentionally copy Apple and infringed on Apple patents.  Apple was awarded $1,049,393,540.00 in damages.  This is less than the 2.5 billion Apple was asking for, but is still a significant amount.  Of course Samsung has already said they are appealing.
I personally think it was obvious that Samsung copied the iPhone. If you look at pre-iPhone Samsung devices and post-iPhone devices it's hard to miss.  While I don't necessarily feel that everything Apple patented should have been granted one, I do believe that Apple deserves protection for the R&D they put into developing the interface.  As far as I can tell patents are the only way they can currently get that protection.
It's easy to say that the interface elements and interactions are 'obvious' once someone makes them, but the fact is that the pre-iPhone phones and PDAs had been around since the late 90's and had not come close to the user experience (UX) of the iPhone.  With Windows 8 Microsoft has invested a lot of R&D effort into coming up with a UI that provides a good experience but is also different.  They also licensed a lot of technology from Apple.
A lot of my complaints with Android are about the lack of polish (I also have issues with fragmentation and device quality, but those are handset manufacturer and carrier issues).  The lack of polish, of a good UX in so many areas, is a serious drawback to the consumerization of Android.  All of the market analysis I have seen shows that while Android users do switch to iOS, iOS users rarely switch to Android.  I believe the reason for this is polish.  Yes Android devices are a commercial success (for Samsung), but they aren't 'sticky', Android doesn't appear to hold it's customer base once you start to eliminate price, carrier, and market differences.
Google is intentionally avoiding implementing features patented by Apple in the core Android OS.  Samsung implemented a lot of these features, IMO this is what made their handsets the most popular(and only profitable) Android devices.  They just got hit with a huge fine for doing so.  It doesn't appear that anyone in the Android space is investing in R&D to see how to provide a good, unique UX.

The password is dead! Long live the password!


Some of may remember Bill Gates saying (in 2004) that the password is dead.  This was way before we had to start using 14 character passwords.
More recently (like yesterday), Carnegie Mellon came up with an improvement on voice recognition, developing a voice-verification technology that can transform your voice into a series of password-like data strings, in a process that can be handled on the average smart phone. Your actual voice never leaves your phone, during enrollment or later authentication. 
So hackers need to steal the data strings instead.  I don't see that as much of an improvement.
The proliferation of passwords has been identified as a serious problem--if you give people too many passwords, then they will start repeating them--or simplify their system of coming up with new ones (cognitive loading and all that). So I wonder what we could come up with that would do that?
The answer, of course, is to make password-obsoleting technology dependent on something immutable and unique about you.
Hint:  If you called your friend from home, and a minute later called from work, they would become suspicous, right?  Even if they could recognize your voice.
As the real estate people say, Location, Location, Location.  You can only be in one place, and it takes a non-finite time to move from one place to the other.
But if Apple/Google/FB always know where you are, the privacy advocates will go ballistic.
OTOH, as David Brin pointed out in Tranparent Society, people will need to bite the bitter pill, and just make sure that the information goes in both direction (so you can see who is looking at your information).  Besides, most people sell their privacy every day at the local grocery store for a few dollars.
The only other possible alternative is to use a humanized private/public trap that takes advantage of things only you and your friends know.  You would need to share some tidbits of information, plus a voice record of 40-some phonemes with the institution you trust. For example, after confirming the phone ID to match all the possible numbers Paul could call from, it asks positive and trap questions (while matching phonemes to the bank's record):
Machine:  Where does Jennifer work?
Fake Paul: G2.
Real Paul:  The Urban Teacher Center
Machine:  What did TIffany say about the diamond bracelet you got her for your 10th wedding anniversary?
Fake Paul: Wonderful.
Real Paul: Umm, TIffany who?
The next time you call, it asks different, machine-generated questions (like prime numbers: easy to generate, difficult to decode):
Machine:  Who works at The Urban Teacher Center?
Fake Paul: Umm, Sheila Brown
Real Paul:  Jennifer
Machine:  When are you and Jennifer driving to Lockheed together tomorrow? <<if your trusted machine has access to your clendar, it could ask intelligently misleading questions here>>
Fake Paul: 8 AM.
Real Paul: Umm... to where? With whom?
Other easily machine-generated positive questions could include:
What is the next number after your zip code?
What age will you be after your next birthday?
What is the number before you street address?
Is X street close to the one you live on? <<needs googlemaps app>>
I wonder if trap questions could be based on the work DARPA is doing on "online personalities" (DARPA-BAA-12-06: Active Authentication)?
I'm also wondering if we could abstract public/private key encryption to a human level...

Communication, what of it?

By:  B.Y., Software Engineer @ G2

Communication seems to be something we struggle with in the technology community. More often than not I find myself in a difficult situation with someone (typically client site) because they are using words they don't understand OR have an incorrect / undefined meaning of them. This issue with communication goes far beyond our work at G2 though and seems to have become a global epidemic in other fields.
A beautiful example is here:
To sum it up people who were asked about 'Cloud' computing didn't really understand it all. Sometimes I think these simple wins are what can really do to get G2 ahead in the game. I don't want to speak for anyone else in the company, but it seems to me that we, as knowledgable experts in our field, should be communicating our knowledge in effective ways to others so that we don't continue to spread confusion. In my mind this includes correcting someone when using a term incorrectly (in a nice way) or asking the customer / friend / fellow G2'er to further clarify what they mean so that both parties can better interact.
I've been doing a lot of this with the IAD Cloud Migration and, if done in a calm and mannered tone, makes demo's / briefings / interactions much more effective. I find that the customer and the groups I work with all tend to have a better idea of the technology behind what they want to accomplish and why things can, or cannot, happen the way they would like. My questions for clarification also help by enlightening me on their true intent and understanding the overall goals which usually tie into how the technology will interface with other components.
Additionally (shameless plug to watch more TED) when I was at TED there was a Fellow there, a communcations professor from Penn State, who gave a wonderful presentation on her experiences with teaching scientists versus non-scientists (business, law, art, etc.). She explained that the biggest hurdle was to get them to realize that if they spoke in a language no one else (except them) spoke in, they weren't actually communicating at all. Case and point, if someone were to say "Well the stocastic nature of this function paired with its geometric density temporally concludes its parametric basis" the person on the other end would get lost. I got lost typing it.
Overall, I feel it is our duty as scientists, subject matter experts, guides, mentors, etc. to ensure that we can properly convey our findings, feelings, and understandings to each other otherwise they'll die with us which helps no one. I challenge everyone to think about their communication patterns with others and to explore new ways for us to engage and enlighten the people we interact with!
Happy chatting!

Monday, August 20, 2012

An adventure in Windows 8 and OVAL (with a layover in PowerShell)

By:  S.S., Senior Security Engineer @ G2

Back when the first preview versions of Windows 8 came out the first thing I did once I stood up a VM was to try to run OVAL content against it. Using OVALDI it worked fine, and I was able to write inventory definitions for each of the preview releases as they came out.
With Windows 8 being released Wednesday, at least if you have a Technet or MSDN subscription, it was time to take the next step and explore the new world of applications.
If you haven't heard, Microsoft is following the money and taking Apple's App Store model. Can't blame them for that, easy money skimmed off the top for digital distribution (this is why Gabe Newell of Valve hates Windows 8 so much - if there's a digital distribution mechanism built into Windows, who is going to use Steam? There goes their profits...). More importantly, this means a new way of packaging and delivering applications. I had not read a lot about it, just knew it was different, and thought it might impact the way we do things in OVAL.
More specifically, the issue is how OVAL inventory definitions work. If you're not familiar with inventory definitions, they're checks to see if an application is installled. The problem is that determining if an application is installed isn't the easiest thing to do. How do you determine if an application is installed? It depends on the application. Sometimes the installer will create some obvious registry keys, so you know if they're present the application is too (OK, they could be entered manually, but we'll trust it). Maybe the only registry keys will be in the Uninstall information, which is difficult to search. Or maybe it doesn't create any registry keys, what do you do then? You can always search the system for the executable, but that's not feasible in bulk, as it just takes too long to scan the entire file system that many times. It gets even worse when the application doesn't have an installer and is just dropped wherever the user decides to put it. And then there's always the variable of vendors changing installer packages, deciding to change the keys that are written, etc. Very often the hardest part of writing OVAL content is actually finding the thing you're supposed to test.
So does Windows 8 change any of that? Only one way to find out...
I started out following my usual process for trying to determine the footprint of a piece of software, beginning with doing a file system and registry snapshot with System Explorer. Then I went to the Windows Store and installed an app. I went with FlightAware, a flight tracking app, since Steph is flying to Vegas this afternoon/evening/night (2 3 hour flights with a 3 hour layover...). Then I went back to System Explorer, did another snapshot, and then did a diff. This is where I hope that it points out an obvious registry key. No such luck this time. Of course there were some keys here and there, and some files, but nothing that looked like it would be a reliable indicator. Worst of all, searching the diff for the word "flight" came up empty. So how am I going to write OVAL content to find this application if I can't even find its name in any of the registry entries or files that it changed?
I did some Googling on how to list installed programs on Windows 8, hoping I'd get lucky. I did and I didn't - I got the answer I needed, but I didn't like the answer. To list your installed programs you use PowerShell.
PowerShell, my old nemesis... You may remember that a few years ago I wrote that it may be the death of OVAL on Windows, as Microsoft intends to use PowerShell as an abstraction layer as the only way to access the data we need (and a basic tenet of OVAL is that you go as low level as possible - don't trust layers you don't need). It looked like PowerShell was going to be the only way I could write reliable inventory definitions on Windows 8, so I had to get over it.
PowerShell support in OVAL, implemented via the cmdlet_* structures, is pretty new. I looked at the MITRE OVAL Repository to see if any content there used cmdlet, but nothing did. Then I looked at MIITRE's sample content, no luck there either. I knew that Microsoft used PowerShell in their OVAL for Exchange benchmarks they publish with SCM, so I downloaded and installed the latest version. That went nowhere, as it refused to let me export SCAP for the Exchange benchmarks (all the others were find, though that did me no good). Finally I remembered that Matt Kerr had written some cmdlet content as part of creating the content for the SCAP Validation program at NIST earlier this year, so maybe there I could find a model. After Greg Witte helped me find what I needed I at least had a bit of a model to follow.
So I quickly wrote a test definition that should have brought back a list of all the installed applications. It didn't work. Tried a few tweaks with no luck. Then I wondered if there were issues with PowerShell, OVAL, and OVALDI. To test this I extracted all of the OVAL content from the validation program's cmdlet section and tried it on Windows 8. It failed miserably, so much so that I thought OVALDI was to blame.
I downloaded the source code to OVALDI, found the cmdlet code, and quickly got lost. While getting lost I noted that there didn't appear to be anything that would have restricted what I was trying to do. So OVALDI was off the hook.
Since the validation content worked on previous versions of Windows I wondered if something changed with PowerShell in Windows 8. A little more searching showed me that Windows 8 and Windows Server 2012 use a new version of PowerShell, version 3.0. Could this be the problem? Does OVAL/OVALDI just not handle version 3.0 since it is new?
By this point I was working with a pretty simple test definition that would bring back a list of services. This looked a lot like something from the validation content, so I was pretty confident that I had it right, yet it wouldn't work. Then I noticed that there is a module_version field in the cmdlet_object... is it not working because Windows 8 uses PowerShell 3.0? I wasn't too confident, as the validation content had 1 as the version, but I thought PowerShell 2 was in use. Taking a guess, I updated the version from 1 to 3.0. Ran the content again and wouldn't you know it, I had a list of services. So OVAL and PowerShell can work on Windows 8, it was just my new stuff that didn't work. I guess that's progress...
All I needed to do was make my new Get-AppxPackage call use version 3.0 and I'd be good, right? Nope. Umpteen revisions to my content all have the same results, no data coming back. Then I start thinking about the module referenced in the test content... Microsoft.PowerShell.Management... maybe Get-AppxPackage isn't part of it. Since there is virtually no documentation of PowerShell 3.0 I can't find anything that says where Get-AppxPackage lives. I did some searching for commands I could run in PowerShell that might tell me more about how everything was organized and I stumble onto a nice PowerShell 3.0 addition - a command to launch a GUI editor. I launch it, find the command I've been trying to run, and there's nothing useful there, no drilldown for more info, nothing. After a few seconds a tooltip pops up and it lists a module name that doesn't look anything like what I've seen used before. I find a few more commands, get a bit more info, and I'm convinced that I had the module wrong. So I update the model name in my content and it worked.
Just kidding, this isn't close to long enough yet. After numerous trial and error attempts I think about the version number again. Surely since the Appx module that I've finally identified is new in PowerShell 3.0, and pre-existing modules didn't work unless I changed the version from 1 to 3.0, the version needs to be 3.0. Just for fun though, let's try 1. Would you believe it worked? Yes, something that used to work with version = 1 only worked with version = 3.0, and something new in 3.0 would only work with version = 1.
Finally I had the list of installed applications. All I needed to do now was filter the data and I'd be done. But I noticed how slow the PowerShell stuff was to run, and if I continued down my path we'd be taking that performance hit in every Windows 8 application inventory definition. If instead of limiting the results to the app I wanted I just brought back the full list, then looked to see if the app I wanted was in the list, then all inventory definitions could be based on a single pull of the data. So I threw in a state that I wanted to match, containing the name of the app, and gave it a shot.
Big shocker, that didn't work. After some more trial and error I figured out what was happening, but not a solution. A cmdlet_object is fairly unusual in OVAL in that it returns what amounts to a nested array of values. You get back one object that is a set of sets of name/value pairs. I wanted to return true if any of the inner sets contained the name "name" and the value "FlightAware.FlightAware", but by default OVAL says that all of the inner sets have to contain a match in order to return true. Fortunately there's entity_check in the state, which controls how many matches there needs to be. Adding that attribute with the right value finally gave me the result I wanted.
So after probably 4 hours of work, research, trial and error, and a couple of good hunches, I can now write inventory definitions for apps bought through the Windows Store. If I can keep my eyelids open as I finish them off I'll be sending to the OVAL Repository the Windows 8 OS definitions and a selection of the most important apps (FlightAware, Cut the Rope, and Pinball FX 2). I was pretty excited about figuring this out. How many applications to go?
I should probably address my experience using Windows 8 a little bit. While there are some things that are a little weird, and running in a VM presented some extra challenges, I found it far easier to get used to Windows 8 than I expected it to be. As a productivity tablet OS on the Surface (vs. an entertainment table OS on the iPad) I can see it being great. As a desktop OS it is certainly a big change, but there's a lot of good in it. If my G2 machine met the system requirements I don't think I'd mind switching to it as my primary OS.

Thursday, August 2, 2012

Distributed Databases - Round 2 - MongoDB

By:  J.B., Software Engineer @ G2



MongoDB is a schema-less, document oriented, distributed database. Documents are built upon key-value pairs and incorporate a variety of data types, primarily dictionaries, arrays, lists, strings, and documents. Embedding data structures inside such documents alleviates the need for SQL joins, increasing performance. MongoDB’s document structure is based upon JSON and binary JSON (BSON) to allow for quick and easy use. It was designed with high performance, availability, and horizontal scaling in mind. MongoDB was developed by 10gen in 2007 and is being used by MTV Networks, Craigslist, and Foursquare.


A major selling point for MongoDB is its schemaless document based design. These documents are based upon a Key Value pair that looks like JSON. Users are able to create documents that have specific fields in certain cases and omit them when it’s not necessary in other documents. For example: one could create a “blog” document that contains the properties title, author, date, and blog post. In another “blog” document one could add a “comments” field, a tag field, or both.
Since this is a NoSQL database, there are no joins, which increases performance. Mongo is able to index on keys from embedded documents or data structures. Mongo is built with fault tolerance in mind by having highly replicated servers with automatic failover occurring when a node goes down.
Master-Slave Relationship
Mongo has a master-slave relationship with the distributed servers. The master is able to perform writes/reads. All the slaves across the shards will read from the master and will be used for reads by the clients. There is a feature called auto-sharding that allows for data partitioning across the data servers. There are backups of the shards preserving the data. Using the auto-sharding method MongoDB is able to scale horizontally by adding new servers.
Another major feature is the ability to perform batch processing such as MapReduce. It is a built in feature in which all the user has to do is create a mapper and reducer process. There is an incremental MapReduce feature if a given dataset is continually growing and prevents aggregating over the entire dataset every time.


Access Control
A major limitation in MongoDB is that it has no security built into it. There is no notion of permission or role directly inherent in the database. Developers intentially left security to the application level.
When new servers are implemented the auto-sharing feature automatically kicks in and can slow down processing.
Document Size
Depending on what is being saved the file limitations could be a limiting factor with 4/16 MB document sizes.

Use Cases

Rapid Development
MongoDB would be excellent for rapid agile development. It would be beneficial for modifying a dynamic type of input where specific fields would be needed in specific cases. MongoDB was built to allow users to focus more on the application itself and not the database.

Wednesday, August 1, 2012

Databases, DHT's, and Data (Oh My!)

By:  B.Y., Software Engineer @ G2

Recently, or not so recently, a co-worker and I worked on a grant to explore the different distributed databases that were available. We ended up choosing four that we found which seemed to be most prominent. Now that our research has ended it came to our attention that others might benefit from this knowledge as well. With that we thought it best to release it as a series of blogs posts; one a week featuring an overview of said database. Given that we're starting off with Redis...



Redis is an in-memory key-value data store that supports a wide variety of atomic instructions. It operates on a single CPU and allows for scalability increases through multiple instances. Each instance will spin up on a separate CPU, thus allowing scalability through sharding across multiple cores and physical machines. The creator of Redis is a man of Italian descent named Salvatore Sanfilippo with all support funding coming from VMware. Redis is currently being used by StackOverflow, Github, Blizzard, and more.



The EXPIRE command sets the time to live (TTL) for a given key. The TTL command allows for an immediate check of the time left on a given key. This ‘age-off’ capability adds immediate value when discussing short term, or short lived, values that are queried often.

Data Structures as Values

Redis allows for abstract data structures to be put into keys, namely lists (L*), sets (S*), and sorted sets (Z*). These values can be operated on (addition, union, etc.) incrementally within the data store.


Redis can have its data serialized to disk periodically to allow for backups and fault tolerance. This feature spins up a separate thread on the CPU to allow for a minimal hit to the performance of the actual data store and ensures that in unknown circumstances or power outages a Redis store can be restored into memory.



Redis currently operates within the bounds of physical memory on a given system.  If more is needed it falls down to malloc() calls which, with no available memory left, will just return NULL and fail to insert. Further, Redis adds a set of metadata into each key-value pair which can add up to become a nontrivial number when dealing with small keys.

Use Cases

Cycling Data

Redis is very good at aging data. As seen with the EXPIRE and TTL commands any area where one needs a higher-level ‘cache’ region for rolling or cycling data that is frequently queried would be ideal.

Small / Frequent Data

Given its entire in-memory usage, and equal limitations, Redis makes a prime candidate for frequent and updating data, such as statistical primitives.

Friday, June 15, 2012

Watch Dogs: Future of Hacking

By: D.F., Security Engineer @ G2

So I am a sucker for futuristic subjects and I always think of the whole "What If?" statement. So today I challenge you to think about what if there was a ctOS (central operating system). To start off remeber back in 2003 when the powergrids shutdown the northeast? Well what if that occured because of a virus and malicous works...meaning it was done by someone on purpose not just a power overload, but a virus that caused the systems to have the issues they did. This would govern EVERYTHING traffic controls, power plant, internet, communications, and pretty much many things we take for granted that we need. This would even include our health records, bank information, salary, and even internet activity. Everything governed by one operating system.
Now the big thing is that now a days we are constantly battling hackers over information and control of markets, buisnesses and whatever else. If something like this were to be exploited, the backlash would be tremendous. Sure this all may sound like a conspiracy theory but I am asking you "What If", this kind of stuff could very well be true since we are progressing into the future, this kind of technology can be made wiether its real, or under construction. The point is we are not safe no matter what an anti-virus does, no matter how STIG'd a machine is, there is ALWAYS a way to gain access to something and seize control. Just imagine the kind of weapons that would be out there soon, not physical but virtual weapons that can shutdown all we take for granted if we had a central operating system. I can say it is quite scary if you really think about it so my task for you is, humor me in watching this trailer...and at the end just think "What If".  I strongly believe that this is the kind of stuff us cyber warriors and G2, Inc. would be working on in the future years to come, always be open minided. Enjoy!
Trailer (Watch after reading):

Friday, May 11, 2012

Are we post PC?

By:  M.K., Senior Software Engineer @ G2

Apple made a big deal about the "post-PC" world with the new iPad announcement.  My question to G2 is what does "post-PC" mean to you and are we entering the "post-PC" world with the current/immediately upcoming generation of phone and tablet devices (iOS 5.1, Android 2.3/4.0, Windows 8)?
To me the term "post-PC" means a time when full blown desktop/laptops are relegated to special purpose and hobbyist/enthusiast endeavors.  The needs of 80% of an average home or business users can be met by a mobile device.  I know there are some arguments that phones/tablets are also PCs, but I am choosing to ignore those, and am using the term "PC" to refer to a combination of  mindset, behavior, and interations that encompasses multitasking, potentially limited connectivity, and a need for local resources (memory, space, processor).
Based on that definition I think we are getting close to a "post PC" era, but aren't quite there yet.  I think the biggest inhibitors right now are UI and connectivity.  UX designers are still trying to work out some of the interactions and standards for the interfaces, and until those are fully worked out some tasks are just better on traditional PCs.  The other roadblock is connectivity, I can't get reliable high speed access to all of the resources online that I would need to totally abandon a pc with local storage and the abilitiy to do almost any task I want with or without connectivity.
The other things I use a PC for, primarily software development and gaming, would fall into the "special purpose/enthusiast" category.  It's possible that once someone comes up with the right interface that gaming,for me, could move onto the tablet. I already work around some of the development issues using code editors on  the iPad, LogMeIn, and Dropbox so that I can develop on the iPad in an emergency but it is not a very productive way to work.

Which Browser is the most secure?

By:  S.S., Senior Security Engineer @ G2

It seems like every few weeks you see some supposed authority claiming that this web browser is the most secure, only to be refuted the next day by another supposed authority that says another is clearly the best. I was reminded of this the other day when I saw that Google was backing out of this year's Pwn2Own contest (rightfully so) and putting up their own challenge with more money on the line. Chrome has come away unscathed over the last few years at Pwn2Own, so clearly it must be the most secure browser, right?
While there are many ways to define "secure", with the Pwn2Own goal being just one, I thought I'd take a look at some data. One way to measure the security of a browser might be to count how many vulnerabilities have been reported. Conveniently we can consult the NVD  to find how many CVEs there have been for each browser. Let's take a look at the CVE count for the last 4 years:

2009 2010 2011 2012 Recent history total
Chrome 39 152 270 41 502
Firefox 126 107 101 11 345
IE 27 59 48 4 138
Safari 72 122 49 0 243
Raise your hand if that's what you expected. Now put your hand down, you look silly with your hand raised.
Is Google overly confident given the track record of Chrome? Are these numbers a reflection of the relative maturity of each browser? Are they related to rapidly the browser changes and thus open to the introduction of new vulnerabilities? What does it all mean? I don't know, but I did find the numbers to be somewhat surprising.

Oracle v. Google

By: S.S., Senior Security Engineer @ G2

If you're anything like me then you've been fascinated by the Oracle v. Google trial for the past few weeks, reading courtroom transcripts daily. If you haven't been following, you need to get up to speed on what has been happening - this trial has the potential for major impacts on everyone here.
The basic premise of the trial, at least in Phase 1, is that Oracle is claiming Google violated Java copyrights in Android. The basic claims Oracle is making is:
  • APIs are copyrightable, and they have legitimate copyright claims
  • 37 APIs from Java are implemented in Android and thus infringe on the copyright
  • There is some code in Android copied verbatim from Java, demonstrating that it was willful violation of copyright
  • Email traffic over the years indicates that Google knew it needed a license
  • Deviation from Java has caused fragmentation of Java and thus hurt Oracle.
Google's basic counter-argument:
  • Oracle can't make copyright claims to everything they're claiming, other parties have claims on some of it
  • Other projects, like Apache Harmony, effectively do the same thing as Android
  • A license is only needed if you want to validate against the TCK and call your software Java compatible
  • Sun was well aware of what Google was doing, and was supportive (remember - Oracle now owns Sun, thus Java)
  • Former Sun CEO says they didn't go after Google because they knew they didn't have grounds
  • What Android does falls under fair use
  • Android was developed in a clean room, but one of the subs apparently did copy some Java code despite being told not to use anything from Java. Oops, it has since been removed. And it was 9 lines.
The jury has reached a partial verdict, but more on that in a bit. What matters here is the idea that an API could be copyrighted. This case isn't about whether you can "use" the API - nobody is arguing that you can't write Java code that calls the things defined in the API. This is about whether you can do your own independent implementation of an existing API, or is the API protected such that you can't implement it?
If Oracle is right, and an API can be copyrighted, then this sequence of events could happen:
  1. I build a class that has a method called Add that takes 2 integer parameters A and B and returns the value of A + B
  2. I put a copyright on that class
  3. You implement a class with a method called Add that takes 2 integer parameters and returns the value of those parameters added
  4. You just violated my copyright - pay me lots of money
Seem crazy? Yeah, it is. The effects are so far-reaching that it is hard to comprehend. Here's a sampling of things that could be found in violation of copyright if Oracle is correct:
  • Samba, for implementing SMB
  • Jython, IronPython, and other other implementations of Python's API
  • Mono for implmenting C#/VB
  • Any web browser that implements Javascript
  • Any compiler, for daring to understand a language's API
  • C++, for extending C (maybe...) 
So it all seems completely wrong to everyone with a clue but Oracle, and they're obviously just looking for money. Now the question is whether or not the courts have a clue. Interestingly, the decision to this case is a mixture of the judge and the jury. Here's what the jury determined (paraphrased legalese):
  1. Has Oracle proven that Google infringed on the structure, sequence, and organization of the 37 APIs - YES
    1. Has Google proven that this infringement is fair use - TBD
  2. Has Oracle proven that Google infringed on the documentation of the 37 APIs - NO
  3. Has Oracle proven that Google has infringed on
    1. The rangeCheck method in 2 classes - YES (this was the copied code)
    2. Source code in some other files - NO
    3. Comments in a few files - NO
  4. Has Google proven that Sun/Oracle did things that reasonably led Google to believe that they did not need a license - YES
    1. Did Google rely on this to decide that they didn't need a license - NO (In other words, they had more reasons).
Both sides are publically claiming victory, but only the Google lawyers were laughing in court, while Oracle's lawyers were sad.
For question 3, the jury did decide that Google improperly copied some code. This is expected to be inconsequential. Oracle asked the judge for damages for that copied code. Here's the funny exchange:

Oracle: Separate damage calculation.
Judge: Do you want all their profits?
Oracle: No, Your Honor.
Judge: This borders on the ridiculous... Based on 9 lines of copying out of 15 million? That would ge a big, big stretch.

So Oracle probably shouldn't get their hopes up.
But what about question 1? The jury did find that Google infringed on the SSO of those 37 APIs, which is completely understandable - you can't have interoperability without using the same SSO. What the jury couldn't decide was if it was fair use, or in other words, is acceptable. Ultimately it doesn't matter too much that they couldn't decide, as the judge is going to make the bigger decision - can APIs be copyrighted or not?
During this trial a decision on a similar case came out of the EU, which declared that APIs could not be copyrighted. The judge in this case has read that decision and may follow it. Throughout this case it has looked like the judge is leaning toward the Google side, but maybe it is just him placing the burden of proof on Oracle. He certainly hasn't seemed terribly sympathetic to Oracle.
So who do you have in this case? If you like using computers, hope that Google wins...

Tuesday, May 1, 2012

Python, Data Structures, and XML

By: B. Y., SW Engineer @ G2
I recently encountered a problem where I wanted to deserialize XML into Python data structures to help parse host network and binary data.  Unfortunately every XML parser on the Internet was off just enough from what I needed that I realized I was going to have to "bite the bullet" and write my own version.  In doing so I created a very abstract class to help generate complex Python data structures that I thought I would share.
The jist of it revolves around the old CS stack.  If anyone ever had to implement one, you know there are two dominant methods; push and pop.  Lists in Python have the same concept with append and pop, but I wanted to incorporate values as data structures as well, plus the inclusion of dictionaries.  With that I created a class 'ds' that leverages the basic concept of a stack with added functionality of pushing and popping inner data structures.  It goes a little like this:
 $ i = ds()
 $ i.push(5)
 > [5]
 $ i.push(6)
 > [5, 6]
 $ i.pushl()
 > []
 $ i.push(7)
 > [7]
 $ i.drop()
 > [5, 6, [7]]
 $ i.push(8)
 > [5, 6, [7], 8]
 $ i.pop()
 > 8
 $ i.pop()
 > [7]
 Hopefully you can see with this little example it allows for inner lists (as well as dictionaries) to be created while maintaining the global data structure.  There are a few other methods (pushd, coalesce, and ret) that I didn't cover, but this gives a simplistic breakdown.
Anyways, I thought others who leverage Python could use this class so I've attached the source.  If you have any questions on it, or how I used this to deserialize XML, feel free to shoot us an email at recruiting@g2-inc.com.