You are currently browsing the monthly archive for February 2009.

Today, after the 8 hour “Industrial Control Systems Security for IT Professionals class”, I wanted to make something pretty. And code. And work on a protocol problem.  I’ve needed to look a little at the new Stimulus bill for work lately, so I thought I’d try and at least say I’d written  Python today, dissect the text of the bill into parsable chunks, then throw it into some visualizations.  I can’t easily capture the interesting avenues of analysis I was pursuing visually (and I dont feel like writing it up), but I did manage to make some kind of pretty pictures. Hopefully someone feels inspired from them and goes down a similar path. (I already have some ideas at further stats I want to parse from the bill to be able to look at it more meaningfully. Perhaps Ill do it this weekend – this was just the first cut at setting it up.)

First, I grabbed the full text of the bill from HERE. Then, I wrote some (stupidly) simple python (again, I’m never sure if it’s -good- python) to parse the bill and turn it into a new file with five columns: Word Number, Word Length, Line Number, Work Position in Line, and the actual Word itself. This essentially turned the bill into a a text file with every word in the bill on its own line (in the order it showed up), but with  machine readable meta-data I could use to visually represent it.

stimulus = open(‘/Users/sintixerr/Documents/stimulus.txt’, ‘r’)
finalfile = open(‘/Users/sintixerr/Documents/sdump.txt’, ‘w’)
for line in stimulus:

word=line.split(‘ ‘)
for w in word:



Then, I opened up the new tab delimited bill in my visualizer of choice and ran it through a few different ways of representing the bill.

First, the raw text – without any real manipulation – looked cool in and of itself and I noticed some interesting, if obvious in hindsight, features. (I did clean out some obviously bad data first with a little  sed action, but that mostly just involved removing punctuation that caused the same words to show up as different ones. )

Stimulus Bill Visualized in its Entirety

Stimulus Bill Visualized in its Entirety. In this image, the Y axis represents every word (ASCII characters with spaces or carriage returns on either side) in the bill and the X axis represents the Line Numbers those words appeared on.

First, if you look about a fourth of the way from the left, and then again closer to halfway, you see a vertical “break” in the scatterplot where it looks like the density is much lower.  That is probably a major section break in the original document (I honestly haven’t actually read it in english yet).  That possibility is supported by the second observation which is: Even in human written documents, you can still discern protocol visually. (Again, obvious, but it’s neat.).  If you look at the bottom third of the image, it looks nothing like the top 2/3.  Much more curving paths, fewer horizontal lines, less density, etc.  If you look at those “words”, they’re all document structure words (like section numbers, headings, etc.). …and monetary figures.  If you look closely, there appear at first glance to be two or more incompatible or unrelated document content structures there.  Above that section is where the more obvious “free form” english exists in the set.

Moving on from there, I wanted to see if I could get anything intellectually or aesthetically interesting by using a scatterplot to draw out the shape of the bill.  To do that, I plotted “Line Number” on the X axis and “Position of Word in the Line” on the Y axis.  (Actually, originally those two were swapped, but the resulting image “looked better” when I swapped the X and Y).   I colored everything by Word on a categorical scale so things wouldn’t blend together too much and then ratcheted up the size scale to reduce empty space. I was looking for a visual representation of the literal structure of the document, not an analysis tool or I wouldn’t have done that last bit.

The resulting image looks like this:


Shape of the Stimulus Bill on its side. If you were to compress the actual text of the whole bill into one page and rotate it 90 degrees counter-clockwise, it would probably have the same shape as this, only with text.

Finally, I was curious if I could do a little manual clustering work. I tried to narrow down the words into the data set to those that might have some intrinsic meaning in the context of the stimulus bill. This means I got rid of prepositions, repeated filler words, etc.  I did this by knocking out every word under 4 letters and all of those over 17 chars (over 17 were all artifacts of turning the bill into something parsable, not actual real words).  Then I created a bar chart of words and sorted it by how often words appeared in the document and removed about the bottom 70% of words. I made an assumption (which is almost definitely so broad that the data will have to be sliced again a different way for meaningful analysis) that any words that weren’t repeated that often just werent a real “theme” to the people writing the document. Interestingly, things like “security” and “health” and some others were left in the set, but “cyber” was removed. Hmm. :)  After that, I went manually through the remaining set of words and removed those that seemed to not have any cluster value (both through intuition as well as by visually watching the scatterplot of the whole set while I highlighted individual words t see what lit up.) Finally, and lastly, since I originally wanted to make visually interesting things more than do real analysis, I used some blurring, resharpening, and layering to give a more cloudy, vibrant feeling to it.  Interestingly, that created “clouds” around many of the clusters and made them easier to make out for analysis.  That supports my whole theory that what the eyes and mind like to look at is what the mind and eyes are better able to make intelligent use of.

The final result is here:

Stimulus Bill Subject Groupings

Words of substance that might be indicative of topics or subjects within the bill. X axis, like the first picture, is line number and Y axis is Word.

Yesterday, I threw down my soap box into another discussion of ways to rearchitect the internet – specifically the pieces supporting critical infrastructure.  It was, as usual, about technical solutions to large scale, enterprise security problems.  It was a bit of a stretch for me to bring this up in that particular thread, but I think it’s important to beat the drums on this subject wherever possible:

The “security” problems we’re having nationally and globally aren’t technical.  They’re not even security problems, really; they’re failures of management. In fact, they’re very similar failures to those leading up to and causing the current economic mess.  Any technical discussion is really putting the cart before the horse.

For example,  I was recently on a con-call recently where a bunch of people at a large enterprise were trying to track down (to keep it generic) “Secure Devices” they’d purchased. Absolutely no one knew where they all were, who owned them, how many there were, whether they worked or not, how they were configured, etc. Some groups knew theirs, others didn’t. In some cases, there was duplication of effort. In others, worse still, there was conflict of effort. How can this environment possibly result in “security”?

This kind of management mess is the primary contributor to the failure of cyber security – CIKR or otherwise, not technical problems.

Why do I believe this? I started out doing network security analysis. I was really good at it, but couldn’t do it nearly well enough because the tools seemed to suck.  So, I started designing better tools to do things in ways that had never been done before. But then I found that even with better tools, I still couldn’t provide a good basis for analysis because I didn’t know anything about the organization I was “securing”. Once I figured that out I went to try and get the business leaders to provide that information to their security team and I found that the information had never been collected and no one seemed to see the value in doing so.  That’s how I ended up (in short) with the perspective I have today.  It’s based in a sequence of layered steps that I know are solid – I only wish I could do a better job of communicating the dependencies here.

The conceptual failure seems to be the belief that technical risk remediation is a sane strategic end-goal.  It’s not. There will always be technical vulnerabilities and failures of design – that’s a given. You can fix these individually, but that’s a tactic not a strategy.  There is no end game or any way to get ahead of the curve.

Instead, we lack and should pursue national business, social, and government consensus on solid plans to:

  • Assess current environments and keep those assessments up to date,
  • Do interdependency analysis,
  • Plot those against business risk (individual organizations, nationally, etc.)
  • Measure performance and success in terms of business needs supported

Not to mention consensus on “communication” (which is probably even more important) like: who should be at the table for these things, how communication happens and with who, etc. You get the idea.

These are all deficits that are completely independent of the technical architecture of our infrastructure.  Filling them would get us a long way down the road to solving our security problems in our current environments

We have a habit, in the cyber world, of consistently making changes without sober scientific evaluations of cause+effect and it bites back every time.  And, until we start getting better at the above named activities, we can’t do that evaluation in any way that will guarantee successful solutions. (I recognize that there are many, many good initiatives going on in these areas…but so far, they still seem disjointed and lacking enough universal consensus to solve the problem.)

Maybe some of these technical suggestions for rearchitecting the internet will work. Who knows? We don’t even have consensus on where, why, or how our current technology fails or where it succeeds.  How can we claim to know what will fix it? Technical solutions to security problems without business context will only ever, at best, be hail mary’s and misguided hope.

Now to get a little more ranty (smile):

I really fear what is happening…which is calls for large scale, quick change without even the most fundamental management practices in place.  (eg, business architecture).

What is going to happen is we’re going to invest a lot of time, money, and effort in investing in technical re-engineering and we’re STILL going to get trampled on by malicious actors…except we’ll be billions of dollars more in the hole. I think that merits being called out as often as possible.  What do you think?

The government and large enterprises get compromised constantly and -at will-.  The whole mess from top to bottom, public and private, is absolutely fubar’d. This is public knowledge – it ends up in CNN regularly. Yet,  our management processes are SO bad, that even ending up on mainstream news does not force real change. Failing FISMA does not force real change.  There is NO visibility from cyber technology to management to business leaders to business risk. There are exceptions, but this is the rule. So you dont have the visibility to make the needed changes.  Not only that, but without the data gathered by these management processes, security controls cannot ever be effectively placed, configured, or run.  We will lose, no matter what technology we put in place without these management practices. There is no question.

Technical solutions may work,  but that’s like putting a finger in the dam. Unless there is a framework to consistently identify and correlate environment, requirements, risk, technology, operational processes, controls will eventually fail because the enterprise (national, private, whatever) cannot respond to evolving threats. Spend the money up front to put in strong security practices, though, and the rest will follow.

Even then, we can’t possibly identify all the inter-dependencies and requirements needed to make large changes move without going through exactly the kind of process and management methodology I’m referring to anyway.  Just to put the cart before the horse requires the horse be in the front. (Does that even make sense? heh.)

This is an excerpt from an email I sent to a number of colleagues as we hash out what our various and competing mandates to “secure cyberspace” (in our own domains) actually involve and what we have to do about them.  My position is that, first and foremost, we need a business security architecture to answer those questions, and that’s where this following conversation is leading.  Various recent discussions I’ve been a part of outside of the job – just in the industry – also were on my mind when I wrote this.  There seems to be this belief that “cyber security” is somehow a technical problem, and I couldnt disagree more. (Note: Im speaking generally below and am leaving out detail for the sake of brevity – I dont have time to write a dissertation. :) Note2: The fact that I dont discuss our complete and utter failure to universally define “identity” doesn’t mean I dont believe it significantly impacts our ability to secure “stuff”.)

Security really comes down to the identity of systems and people: Who needs to interact with who, what transactions they can perform between them (and in what direction), how long those transactions may last, how often they may occur, which side of the transaction “owns” the security of the transaction.  Everything you do to secure your domain of control flows from this information.  It allows us to (literally):  place and configure the technical and process security controls which you have described as being a sector need.

If you wanted to describe a “secure” cyber system without this information, your answer necessarily would have to be: “the computer will be in an electromagnetic shielded room with hardware memory that cant be written to, no disk drives, no connection  outside the room, and anyone who uses it must be x-rayed and without clothing to hide plastic or wooden tools.”  That’s obviously silly, but we just said secure – we didnt define exceptions to “secure”.  So how is the middle ground defined?  What does “secure” mean to you? I’d suggest that it means that whatever controls are in place enable you to continue to operate in a way that supports your mission.  In other words, since security is first defined as: “The system should not do anything more or less than I want it to”, you must define what you want it to do. Then, you go through a prioritization effort of what you want it to do so that your budget can support it.

One of the reasons that developing this business context of “what should my systems do” is important to the budget piece is because that information allows us to begin to create attack trees. Attrack trees help us understand the weak points in the system are *that we care about* (not just every and all possible attack). Few of those weak points are immediately apparent or obvious after an informal inspection, so a process is needed.   From attack trees and control placement, we can then prioritize our efforts based on a combination of technical vulnerability, business risk, and available money and work out a budget.  Otherwise you’re just making up numbers and -hoping- your investment pays off.

And, as far as using universal standards in this area, your requirements MAY look like someone else’s, but the exceptions to that become maliciously exploitable, so you still need to validate and manage your environment and business requirements.

Without this information defined, your security controls will have significant gaps in placement, they will be not be effectively auditable for malicious activity, their configurations will not accurately reflect the real security needs of the system, and you will most likely run out of a security budget before you’ve mitigated a significant amount of risk. On the macro level, these really are the areas which hackers and malicious actors exploit with consistently rich returns.

Technical vulnerabilities will always exist, and we do need to maintain awareness of them and processes to try and keep up with them, but these are largely well understood and we still fail (and we fail dramatically) to actually prevent intrusions, data exfilitration, denial of service, etc. – even when we have controls in place.  It’s not for lack of technology, really. We have controls out the wazoo – firewalls, antivirus, IDS, etc.  We’re just not using them rationally.

This business context (or at least the education and tools to develop it) – if you were to look at every company and stakeholder in the sector as being part of the same business (the business of ____) –  is what I hope we in the working can begin to help provide. I really believe what might seem like fuzzy talk without a lot of action will ultimately result in a concrete way forward to reduce or mitigate the risk we all face.

(Second Update: As of 9/14/2009, I’m working for Idaho National Laboratory (INL) liaisoning to DHS in DC supporting their ICS-CERT effort. This is reflected in the online resume, but not yet the pdf.)

Just a pinging post since I’ve just (finally) updated my resume on this site and elsewhere to reflect what Im currently doing at TSA.  Apparently, IDS analysts in this area are in hot demand, but that’s not really what I do any more.  Unfortunately, what I -do- do isn’t as easy to tokenize/categorize as something like that. I do love it, though :) I like…making stuff work better than it did before and do new things.  People, in particular.

Here’s a link to the PDF:

And online:

Update: You can now download a Webcam Audio Visualizer based on the one references in this tutorial – and some completely new ones – by clicking HERE


So I’ve been making some new art lately that  I think pretty is cool. Back at Artomatic last year, I wrote code that generated a mosaic of one image out of another and make a 6’x6′ photo and wondered if the code was art, since the only thing it did was generate that one mosaic?

At that point, though, it was still static and the question was (to me) relatively easy to answer.

This time, I wanted something more dynamic and interactive. I wanted to further explore the question of whether  or not something that changes every time you see it and which depends on its environment is still “art”.  What I ended up doing is using Apple’s Quartz Composer – a visual media programming language – to create an  “audio visualizer” (sort of like you see in iTunes, Winamp, etc.).  What’s different about this piece, though is that combines live webcam input with live audio input into a pulsating, moving interpretation of the world around the piece.

In some ways, the work can be considered just a “tool”. But, on the other hand – and more importantly, I think – the fact that the ranges of color, proportion, size, placement, and dimension have all been pre-designed by the artist to work cohesively no matter what the environmental input moves it into the realm of “art”.

In this post, I hope use the piece in a way that will give you an example of what it would look like as part of a real live installation and to help explain the ins and outs of my process.


An easy example of where this would do really well is at a music concert. The artist would point the camera at the band or the audience, and, as it plays, the piece would morph and transform the camera input in time to the music and a projector would display the resulting visuals onto a screen next to the band (or even onto the band itself).  This is just one suggestion, though.  Interesting static displays could also be recorded based on live input to be replayed later. It’s this latter idea that you’ll see represented below (though you might notice my macbook chugging a little bit on the visuals…slightly offbeat. Thats a slow hardware issue :) ):

In that clip, I pointed the webcam at myself and a variety of props (masks, dolls, cats, the laptop, etc) as music plays from the laptop speakers. There was a projector connected to the laptop displaying the resulting transformations onto a screen in real time. A video camera was set up to record the projection as it happened.  My setup isn’t much, but it can be confusing, so take a look below. My laptop with the piece on it, webcam connected to the laptop, projector projecting the piece as it happens, and video camera recording the projection:

Quartz Webcam Audio Visualizer Demo Recording Setup


As I said earlier, I used Quartz Composer – a free programming language from Apple upon which a lot of Mac OSX depends. Some non-technical artists might be a little bit leery of the term “programming language”, but Quartz is almost designed for artists. It’s drag and drop. Imagine if you could arrange lego’s to make your computer do stuff. Red lego’s did one type of thing, blue did another, green did a third. That’s basically Quartz. There are preset “patches” that do various things: Get input, transform media, output media somehow, etc. You pick your block and it appears on screen. If you want to put webcam input on a sphere, you would: Put a sphere block on the screen, put a video block on the screen, and drag a line from the video to the sphere. It’s as easy as that.  First, I’d suggest you take a look at this short introduction by Apple here:

Then take a look at the following clip and I’ll walk you through how it works at a hight level:

The code for this is fairly straightforward:

Simple Quartz Composer Webcam Audio VisualizerIn the box labeled “1” on the left, I’ve inserted a “patch” that collects data from a webcam and makes it available to the rest of the “Composition” (as Quartz Programs are called).  On the right side of that patch, you can see a circle labeled “Image”. That means that the patch will send whatever video it gets from the webcam to any other patch that can receive images. (Circles on the right side indicate things that the patch can SEND to others. Circles on the left indicate information that the patch can RECEIVE from others.)

The patch labeled “3”, next to the video patch, is designed to resize any images it receives. I have a slow macbook, but my webcam is high definition so I need to make the resolution of the webcam lower (the pictures smaller) so my laptop can better handle it. It receives the video input from the video patch, resizes it, and then makes the newly resized video available to any patch that needs it.  (You can set the resize values through other patches by connecting them to the “Resize Pixels Wide” and “Resize Pixels High” circles, but in this case they are static – 640×480. To set static values, just double-click the circle you want to set and type in the value you want it to have.)

In the patch labeled “4”, we do something similar, but this time I have it change the contrast of the video feed. I didn’t really need to, but I wanted to see how it looked. The Color Control patch then makes the newly contrasted image available to any other patch that needs it.

On the far right, the webcam output is finally displayed via patch “8”. Here I used a patch that draws a sphere on the screen and textured the sphere (covered the sphere with an image) with the webcam feed after it has been resized and contrast added.

So now we have a sphere with the webcam video on it, but it’s not doing anything “in time” with the music being played.

What I decided to do was to change the diameter of the sphere based on the music as well as the color tint of the sphere.

If you look at patch “2” on the left, you’ll notice 14 circles on the right side of it. These represent different (frequency) bands of the music coming in from the microphone. This would be the same type of thing if you were to be using an equalizer on your stereo (It’s actually split into 16 bands in Quartz, I just only use 14).  Each of those circles has a constantly changing value (from 0.0000 – 1.0000) based on the microphone input. Music with lots of bass, for example, would have a lot of high numbers in the first few bands and low numbers in the last few bands).  We use these bands to change the sphere diameter and color.

I chose to use a midrange frequency band to control the size of the sphere because that’s constantly changing, no matter whether the music is bass heavy or tinny.  You can see a line going from the 6th circle down in patch “2” drawn to the “Initial Value” circle of patch “5”.  Patch “5” is a math patch to perform simple arithmetic operations on values it gets and output the results. All I’m going here is making sure my sphere doesn’t get smaller than a certain size.  Since the audio splitter is sending me values from 0.000 – 1.000, I could conceivably have a diameter of 0. So, I use the math patch to add enough to that value that my sphere will always take up about a 25th of the screen, at its smallest.  Patch “5” then sends that value to the diameter input of the sphere patch (#8) we discussed earlier.

It’s these kinds of small decisions that, when compounded on one another, add up to visualizations with specific aesthetic feelings and contribute to the ultimate success or failure of the piece.

Another aspect of controlling the feel of your piece is color.  In patch 6, you see three values from the audio splitter go in, but only one come out.  The three values I used as the initial seeds for “Red”, “Green”, and “Blue” values.  Patch “6” takes those values and converts them into an RGB color value.  However, notice that patch “6” has three “Color” circles on the right, but only one gets used? That’s because I designed that patch to take in one set of Red, Green, and Blue values based on the music, but mix those values into three -different- colors. So as the music changes, those three colors all change in sync and at the same time and by roughly the same amount, but they’re still different colors. That lets me ad

d variety to the piece and allows me, as the artist, to kind of create a dynamic “palette” to chose from that will always be different, but still keep constant color relationships. This contributes to a cohesive and consistent feel to the piece.  A detailed explanation of how I do that is out of the scope of this post, but you can see the code below and take some guesses if you like:


And that’s pretty much that. We have a sphere that displays webcam input and which changes size and color according to the music playing nearby. But that’s really not all that interesting is it? What if we added a few more spheres? What if we used all three of the colors from patch “6”? What if those spheres all moved in time to DIFFERENT bands of the music?

The code might look something like this:


And the resulting output looks something like this:

Yeah I know the visuals are sortof silly and the song cheesy, but the music’s beat is easy to see and there just isnt that much in my apartment to put on webcam that I havent already.

Also, take a look at 55 seconds through about 1:05. The visualization goes a bit crazy. See the white box on top? You cant see in the video but that box lets me enter input parameters on the fly to affect how the visualization responds. This is the VJ aspect.  For these visualizations, Ive only enabled 2: How fast/big the visual components get and how fast/slow they get small.  In that 10 second segment, Im jacking them up a lot.

What about the original video? What does that code look like? See below.  It’s a litle bit more complicated, but essentially the same thing.  Instead of 16 spheres, I use a rotating 3D cube and a particle fountain (squares spurt out of a specific location like out of a fountain).  In addition to just color and size, the music playing nearby also affects location, rotation, minimum size, speed of the particles, and a number of other visual elements:


At some point (as soon as I figure out the Cocoa), Ill upload the visualizer here as a Mac OSX application for download.


So, what do you think? Is this art? If not, what is it? Just something that looks cool? In my mind, artistic vision and aesthetics are a huge component of making “multimedia” “new technology” art, no matter how big a component the technology is.  Without some sort of understanding of what you are visually trying to communicate, it’s only by chance that you’ll end up with something that looks good.  But, even beyond that, I found that I had to think pretty far ahead and understand my medium in order to create something that would look consistent AND visually pleasing no matter what environment it was in and no matter what it was reacting to. It was like writing the rules to create an infinite number of abstract paintings that would always look like they were yours.

Also, figuring out what to put in the webcam view when and at what distance is an important part. When Im paying attention (as in the first video), it adds a whole new dimension. When I dont care and point it at anything (as in the demo videos), the whole thing becomes a bit more throwaway.

Follow me on Twitter

My Art / Misc. Photo Stream

phoenixhike - 4

phoenixhike - 3

phoenixhike - 2

phoenixhike - 1

phoenixhike - 7

More Photos