Lego's Land

Suspending this Blog

2008-06-30T23:03:00.003+03:00

It's been about a year since my last entry in this binary log.

I guess it's obvious by now but here's the official statement: I've decided to suspend my writing in this Blog indefinitely. There are many reasons to it. I don't have the time, interest and imagination to start or comment new topics.

This has been my first attempt to maintain a Blog and I think it's gone quite well. Of course the feedback could be a lot better but I'm under the impression that I've managed to present a couple of interested thoughts and ideas to the world.

The posts I've written over the past months will stay here as an archive until I decide what to do with them (maybe move them to a new location or keep only a small selection of them).

Anyway, cheers!

Want Internet Anonymity? Be Creative!

2007-07-31T02:28:00.000+03:00

When it comes to Internet Anonymity most people try to leak absolutely no information. This isn't always possible and definitely makes them look suspicious. What I propose is to be a little more creative! Create an imaginary character who will represent you online. This character must seem real enough in the way that you give out no real information of your own but still put together a complete, every-day person.

First of all find a name. Next come up with a birth date. After that decide where he will live (country, town, street and zip code). Write them down. These things are pretty much all you need to open an online account and should be the same in all accounts you will use under that name. So our character will need at least an e-mail address so create one. That's it! You can "play" this character and "become" him when in need to masquerade you actual identity.

Wish to enter a forum without giving your real name? Avoid something like "superman123" for your nickname. Use your character's name instead.

Now that we've solved the personal information issue, we want to make sure no digital trail will lead back to the real you. Use TOR along with Torbutton (if you have Firefox) to surf the Internet anonymously! I'd suggest you use a different Firefox profile or even a portable version like PortableFirefox to separate your real-you cookies and passwords from the character's, otherwise one may be able to link you two!

That's about it. The key element is NOT to hide your information but present false yet valid-looking to anyone who requests it. Even if some of your real data gets leaked in the process, one won't be able to tell which is fake and which is not so the "noise" produced by the imaginary character will still cover your tracks. Finally, remember that the character is a role you need to play. That character should seem to be a normal person going online, with habits (maybe subscribe to a couple mailing lists), hobbies and activities.

Botnet Movie

2007-07-15T00:13:00.000+03:00

There's a cool botnet introductory movie over at GOVCERT.NL (Computer Emergency Response Team for the Dutch Government).

Data Ticking Time Bomb

2007-07-06T08:03:00.000+03:00

There's an interesting article over at BBC Technology News concerning the compatibility of modern and future computer systems with old file formats.

From the article:
"Unless more work is done to ensure legacy file formats can be read and edited in the future, we face a digital dark hole." [...] "If you stored something on a floppy disc just three or four years ago, you'd have a hard time finding a modern computer capable of opening it." [...] "We cannot afford to let digital assets being created today disappear. We need to make information created in the digital age to be as resilient as paper."

This really is an emerging problem as we move forward to a more computerized world. Right now the technology allows us to digitize large aspects of ours lives. Computers and electronic services are replacing traditional concepts such as paper-based documents and records and physical transactions.

Nowadays nobody uses floppy disks and most new computers don't even have a floppy drive. How about those people who kept an archive in such disks in the past? They probably won't be able to access it from their current computer system and what about in a year or so? Also, a lot of electronic documents are stored in formats that have either evolved or been completely abandoned. So, is that information lost? This should never be the case when it comes to unique, irreplaceable data!

Currently the idea of open document (format) standards is constantly gaining ground. They are standards for creating text, audio, video, picture files etc. So as long as they are carefully designed and most vendors follow them, we shouldn't have a problem. Things get complicated when closed source software such as Microsoft Office establishes and follows product-specific, non-standard formats which may even be incompatible among different versions!

When it comes to storage media (like floppy disks) the problem still exists since technology evolves quite rapidly and does not allow any ties from the past to slow it down. So yes it's quite possible that the CD you are using today to backup your files will be useless in five years from now since your new computer won't have a CD-ROM Drive! Besides, blank CDs don't have a life expectancy more than a couple of years. At this point, the evolution and wide use of computer networks and the Internet might give the answer. It's so easy to quickly upload and manage large amounts of data that a lot of people do their backups online!

Anyway, it's an interesting article to read and a lovely topic to ponder on.

"Change Your Password!" or Not?

2007-06-22T16:16:00.000+03:00

Today I came across an article at the "Daily Cup of Tech" blog where the author urges you to frequently (every month or two) change your password(s). At first this may seem like a really good idea but I'll have to disagree. First of all let me point out some other password-related security guidelines.

One should never use the same password in all of his accounts. Should one of them be compromised, he is totally helpless. For example your password to a forum should never be the same as the password in the e-mail address you have provided during registration. Most people have two or three passwords and use one of them for their "most-secure" accounts, the second one for their e-mails and the third for every other "low-security" case. I'm not necessarily saying that's the best one can do. Also, passwords should be hard to guess (and therefore hard to remember). So a totally random combination of letters, numbers and symbols, longer or equal to 8 characters is a nice choice.

Let's get back to the article. Having at least three totally random passwords like "C9U6h#*U" or "swa!Es7u" is already a hard thing to do. Frequently changing them and therefore memorizing them every month or so is something nearly impossible for the average user. Too much effort can push one into writing down the password or storing in somewhere like on his cell phone. This is far worse than keeping the same password for a long time.

In my opinion, a secure-enough password is not in any danger from contemporary password-guessing techniques. The only way it can be compromised is if transmitted over an insecure medium, like a non-SSL HTTP session.

Schneier: Airline Security Cartoon

2007-05-18T23:12:00.000+03:00

Cartoon

Found it at Bruce Schneier's blog. It really is a hilarious example of Cover Your Ass (CYA) Security.

Schneier: Is Big Brother a Big Deal?

2007-05-12T05:08:00.000+03:00

Is Big Brother a Big Deal?

From the article:

Big Brother isn't what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today's information society looks nothing like Orwell's world, and watching and intimidating a population today isn't anything like what Winston Smith experienced.

When you think you know what you don't know...

2007-05-09T15:17:00.000+03:00

I was attending a Legal Issues on E-Commerce lecture yesterday and I was amazed by the superficial knowledge of the audience on security matters. Being totally ignorant is something I understand, since they may have never had the chance to learn about it, but believing you know about it when you don't is absolutely disappointing.

So we were talking about digital signatures on e-mails and online transactions in general and a guy claimed that when you apply for an e-mail address and give out your name and address, it is the provider's obligation to verify that info and therefore when you get a mail from someone you really should trust its source (yeap, the "From:" field). Can you believe it?

OK, maybe he has never heard of spoofing an e-mail address or taking over ones account but how can he be so sure of the facts to argue that an electronic message coming through a "known and well-respected" provider's network is something you can trust?

Anyhow, here are some Wikipedia links concerning Digital Signatures, Electronic Signatures (totally different object) and Public-Key Certificates.

Schneier: The Failure of Two-Factor Authentication

2007-04-04T14:24:00.000+03:00

The Failure of Two-Factor Authentication (March 15, 2005)

From the article:

Two-factor authentication [...] works for local login, and it works within some corporate networks. But it won't work for remote authentication over the Internet.

Software Leftovers

2007-04-02T00:39:00.000+03:00

Don't you just hate it when, after you've uninstalled a game or application from your Windows PC, you get all kinds of leftovers? It usually is the installation directory, empty. It may also be a registry key, no longer necessary. And the question is why.

Why do these people write so lousy uninstallation routines that leave annoying garbage behind? One would think I am talking about some third-class piece of software but no. I am talking about very popular games and applications by well-known, well-respected companies.

Maybe it's the whole "Windows Attitude" to spread files here and there, register a couple of components and forget half of them behind in the end. Maybe they just think nobody will ever want to remove their program (cause it's "so cool").

Being a programmer myself, I find it really irritating when others fail to do their job. Over time you will get a PC which will be slower due to a large number of redundant file system and registry entries that still have to be parsed by the OS. And of course there is the aesthetic part which calls for a nice "clean" system.

I want to look at my hard disk and find my currently installed software and files and NOT a history of my activities over the last two years. Is that too much to ask?

Auditing Wi-Fi Areas.

2007-02-21T23:30:00.000+02:00

I've always been curious about the kind of security applied in “Hot Spots” or “Wi-Fi Areas”. These are places where you can access the Internet on pre-paid time. I'm not even going to talk about securing the client's activities and data or providing any kind of anonymity. I was really keen on finding what means such providers have deployed to make sure no unauthorized personnel has access (aka people who haven't paid for their time). So today was my lucky day. While waiting for a flight at Athens International Airport I had the chance to test their Wireless Internet Access Service. Apparently they don't use any kind of encryption on their Access Points. That means anyone can connect to it and receive an IP Address through DHCP (Dynamic Host Configuration Protocol). That's good right? These guys want even the least tech savvy user to be their client. As soon as you try to access your first web site (I'm guessing they offer HTTP only), you are redirected (through a transparent proxy) to a login screen and asked for a PIN which can be found on the back of pre-paid cards. When you enter a valid PIN, (I'm guessing) your IP and/or MAC Address are recorded and their firewall let's you out (or your proxy fetches stuff for your or something like that). So, that's how it works.

Let's say I am a bad guy, well not a bad guy – just a guy who doesn't want to pay. I would go and sit next to a guy who is already surfing, sniff the unencrypted air to easily discover the legit user's IP and MAC Addresses. (Of course I could also sniff sensitive information such as his passwords or e-mails but that's another story.) After that would I configure my own wireless card to use the exact same information (hence masquerading my self as the legit user) and I'm in! That's it! I wouldn't even have to try to find holes in their firewall or crack their infrastructure or brute force PINs. Pretty easy huh? Well, it is.

Then I tried to understand it. First of all their administrator has applied no access control mechanisms to the Access Point because that would require a significant trade-off. It would require every user to know how to configure his wireless device to conform with those security systems (e.g. MAC Filtering, Hidden ESSID, WEP, WPA). This could scare away potential customers who just don't get along with computers very well and the CEOs don't want that. So no “frustrating” security measures.

OK so a lot of people can get it for free. We know it and they know it. Although at first it may seem that a bandwidth piggyback is so cool and let's you surf for free, it actually works in their favor. How?

First of all, including the piggybackers, more people will appear using their Wi-Fi Areas. And, as we all know, people tend to imitate other people's behavior. So if you have a wireless-capable device and see other people using such service you will also feel the urge to use it. So there you have, indirect advertisement! Moreover, people able to perform such stunt will be so proud of themselves that will tell their friends about it. And when their friends try to do it for themselves they may fail but they were expecting Internet Access on the spot so it is very likely they will actually pay for the service after all. Extending that, there will be a time the original hacker won't be able to find victims to take advantage of but going online from the airport may already have become a habit to him or somehing he relies on so even he may purchase credits for the service. Also, if you come to think about it, they providers aren't losing that much. Most users (even unauthorized ones) are there to catch a flight so under normal circumstances that won't take more than a couple of hours. It's not like they are stealing bandwidth for days or so.

To sum up, what is advertised and offered, is Internet Access to counteract those long waiting hours or allow one urgent e-mail to be sent or a short chat to be conducted. In other words it addresses the need for communication, something people are always willing to pay (a lot) for. The generics of this, who pays for it, who doesn't, how secure and reliable it is, are not considered (although they should be) important both by the provider and the majority of users so everyone is happy at the end of the day.

Imbalanced (IMBA) Corporate Security.

2007-01-30T04:47:00.000+02:00

It seems that both corporate networks and their physical installations may be compromised because of some irresponsible security officer.

When we are talking about security (at a corporate level) we imagine an area (or multiple areas) where only certain people are allowed in. And once they are in, they are divided into groups depending on what they are meant to do in that area. That area may be a physical location (office/building). In there, only the company employes are granted entry priviledges. Once they are in, each one works in his own cubicle and only senior employes wonder around checking everybody else. This is the same when it comes to an electronic network: you have different areas (subnet A, subnet B, etc) and different kinds of permissions (server 1 access, server 2 access, etc).

Security officers are mostly concerned about letting people in. When a new guy is hired they screen him and watch him for a while before granting him appropriate permissions. The problem is that administrators are selfish creatures. If they say you are "OK", that's it. They never check up on you or re-evaluate their decision.

This is bad enough but the problem starts when they forget about you even when you leave the company for ever. As a result, active accounts of ex-employees remain in the system allowing them access at any time. This is huge! It only takes an unhappy ex-employee with the appropriate privileges and maybe a little hacking to enable stealing or destroying information or damaging the infrastructure itself.

It's been over a year since Bob left the company his was working at. A few days ago he realized that his network access had NOT been revoked (and - I bet- neither had his physical privileges, alarm codes etc). He was able to remotely access specific systems from the company network and gain administrative privileges. He could install backdoors in those systems to ensure future access. He could use those systems to attack others, sniff the inside of the company's network (firewalls are of no use in this case) and basically do a lot of nasty things. Also he could take advantage of small security vulnerabilities he had knowledge of (like the fact that they used the same local admin password on every PC) to cover his tracks and hide his identity. Taking it a little bit further and under the assumption that nobody bothered to cancel his alarm code (they took his key through), it would be possible to invade the premises during the night, disarm the alarm using his code (or any other ex-colleague code his knows - this is another big issue) and steal/damage anything he wanted.

As Bob told me, it took 3 months since the day he started working there to get a key for the front door and remote access privileges. Apparently the security officer wanted to make sure he was not some malicious person. What worries me thought is that he took all that time to verify Bob (while making his life harder since he was an employ and did not have sufficient means/privileges to do his job) but still, 12 months since his last day at work, Bob's clearance hasn't been revoked. It's safe to assume that this is not an one-time event. Unfortunately it is my belief that there a lot of "orphan" accounts in the system.

This rises a couple more risks. Let's assume that Jane is also an ex-employee but isn't as cunning as Bob. She has never thought of doing any of the stuff I've just talked about. Jane's account is still active though and is protected by a very easy password. When the sysadm tries to enforce a new (better?) password policy he will not look after Jane's account because Jane is not working there any more. Right? Wrong! Maybe all 999 employees have updated their accounts with hard-to-guess, complex passwords. It takes a single account, Jane's, with a dumb password like "janedoe47" for an attacker to infiltrate the network.

Loose privileges are a liability!

To sum up, securing a physical area or a network means analyzing every possible scenario and providing general cover and failsafes and not just focusing on the "front door". Because that's where an attacker will try to gain access. He will hit weak abandoned accounts with weak passwords, forgotten remote privileges and protocols that should have been revoked.

Dogbert's Password Recovery Service for Morons.

2007-01-28T22:59:00.000+02:00

Check it out here and here :)

Putting jokes aside, some "secure" services work that way :P

When Google turns against you...

2007-01-17T02:41:00.000+02:00

Google began as a research project in January, 1996 by two students in Stanford University, California. Larry Page and Sergey Brin (the two students) believed they had a better idea for searching the Internet than the existing ones which ranked web sites based on the number of times a search term appeared on each page (so the more keywords you had in your home page, the higher rank you got - obviously inaccurate and exploitable). The Google Search Engine actually analyzed the relationships between websites (how and how many sites linked to another site). It went public in 1997.

Today, the year is 2007. Almost, ten years have passed and Google is estimated to hold 70-78% of the Internet market. It has become a synonym for web searches and is even, unofficially, a verb ("Google 'this' to know more"). It's one, big, central point (hence "point of failure") which searches and indexes the entire World Wide Web. Some call it the "front page of the Internet". People would kill for their sites to appear on the very first results for a keyword. And on the other hand, "if you site is unreachable by Google then it doesn't exist". This really changed the Internet in the late decade but what about now? There truth is that various problems are coming up.

Google can be fooled or (worse) manipulated.

A couple of days ago I read an interesting article on Javalobby which talked about how their forums got spammed and how the Google flagged them and removed them from its results. The guy who posted the story on Slashdot titled it "When Your Site Ceases to Exist". But, let's take things from the top. Javalobby maintains a forum with parts of it where unregistered (and anonymous?) users may post. That's a BIG mistake. It's also very naive (I'll expand on this another time). As a result, spammers exploited that and filled them with about 50.000 messages advertising pills, porn and gambling. Very soon Google's filters picked that up and considered their site yet another "bad apple", burying it down into the ground. How did that affect the site? According to the article's author, they lost about 10.000 visits a day which came from search results references. That's a tragedy for someone who has invested time and money so that users can find his site when looking for certain things. Of course he didn't have a contract or any other agreement with Google. He just trusted it to do the job right.

Yesterday, I read another interesting story on GNUCITIZEN. According to this, their site was down a couple of days due to technical difficulties, displaying an automated error page (Wordpress default error). It's the same error page any site would show if using the same software they did. So the author discovered that Google correlated his site with others showing the same error because it thought they displayed the same content. Technically they did. It was the same HTML page so, based on absolute deterministic logic, they should belong in the same group. The problem is they don't and, worse, even after the problem was fixed and the normal home page was back on, Google kept grouping the site with irrelevant ones. The author goes even further thinking this from a security point of view. He says that if an attacker sets up a couple of web sites (with minimal cost) displaying the same error page from above, plus some Pay per Click advertisements, Google will "work" for him, grouping them with other legitimate sites, which may hold a very high rank in certain keywords. So if an average user types those keywords he'll a list of search results containing the legitimate sites, followed by the attacker's. As a result the attacker with little time and cost will have managed to steal those keywords in his favor and have malicious content showing up in the first page of search results. Imagine porn advertisements in the same results page as the link to "www.ibm.com" when someone searches for "IBM". And Google will have been his accomplice.

So... what do we have here? It has been clearly demonstrated that Google is a single point (of failure) which can be fooled and manipulated. Nowadays if Google can't find you, you don't really exist. Does it have to be that way?

The answer is NO and it comes from the world of peer-to-peer (P2P) systems.

A lot of people know and use digg. It's a website with no actual content but which allows any user to post a link about another website and a short description. Then, other users who find that link interesting, place a positive vote on that post (not on the user). If they don't, they place a negative vote. And when some third user visits digg, he is presented with a portal containing the latest of everything on the Internet (and links to them). There's a threshold (can be customized per user) on what you see. You get posts that collected a large number of positive votes and miss all the others. You can also vote positively or negatively on one or more posts, shaping that way its ranking. The result is that you read stuff that's interesting for most people and skip the rest.

And what about del.icio.us? It's a website with no content of its own (like digg) where users keep records of their personal bookmarks. It works this way: you come across a site you want to bookmark, you place it on del.icio.us and tag it (that is characterize it using keywords). Then, you or everybody can select a tag and find all listings under it. For example you find a funny link about computer games. You post it and tag it using the keywords "funny", "computer" and "games". After a month or so you may select "funny" to see all links that you considered to be funny and so can everybody else.

Isn't that searching the Internet? The difference is that it is users who do the job and not some stupid bot. This isn't P2P on a system level but on a human one. It's not that there are a lot of computers searching and exchanging results and listings but it's humans who do that. If I see something worth looking to, I'll post it so that my (Internet) friends can see it. Then, each of them will promote it (by voting it or tagging it) so that his (Internet) friends can see it and so on. Nobody waits a single source for information.

In both cases from above crowdsourcing is applied. That is both digg and del.icio.us are empty vessels, filled with user activity from all over the globe. Pages are commented and ranked using democratic votes. If one posts something bad, he gets all negative votes and it's buried under the good posts. If one makes a bad comment on a good post, the comment itself is buried by negative votes on the comment and not on the post. It's all very amazing.

OK it's not like "I want to know about Company ABC" but it's not like YET. Imagine a similar site as big as Google where people registered and tagged everything. Then there would be an "ABC" tag and not just that. There would be comments on the company, it's products, it's site, etc. How about that?

Isn't that a couple of generations ahead from looking at a huge list with nothing but a couple of URLs (Google Style)?

Now that we are talking about it there is another, more obvious, P2P model for searching. A distributed Search Engine. Each user's browser contains a small "agent" which looks at a small piece of the Internet, indexing sites. Then, it communicates with it's (network) neighbors (browsers) informing them of its findings. They do the same thing. So when the user (human) types something in that search engine (the interface of which resides in his computer), it knows where to find it or, a least, who to ask. Then it gets multiple results and even mirrors of the source along with ranks and tags like the ones I've just talked about.

When you are looking for something, wouldn't you prefer an option some guy you trust has recommended? Well, that's what I am talking about! I'm talking about the future.

No more "Google can't find me, therefore I don't exist". We won't have to care about that. If you exist you will be found. Or maybe the saying will be shaped into this: "I'm not interesting enough, therefore I don't exist". Haha we are talking about the ultimate democracy. Which government or agency will be able to suppress such system?

When you are trying to censor or manipulate content that the entire planet reviews and comments on, the battle is lost before it even begins.

Of course there a lot of security issues here. Will someone be able to poison such system by deploying thousands or millions of user-imitating bots? Will someone be able to run a DDOS attack by manipulating the system (Slashdot Effect or Digg Effect)? Will phenomenons like "psychology of the crowd" or "gossiping" take over? These (and a lot more) are factors we should really take into account but decentralizing information databases and adopting a more open model when it comes to content management and distribution is certainly the way of the future. I'll get back to the security portion of this some time.

To sum up, the Google algorithm in its current form may not able to handle well the Internet of today and certainly won't be able to do so in the future. Like two students from California revised in 1997 the way we searched the Internet, maybe it's time again to make the next step forward into something as radical and advanced as Google was for that time.

Bringing down the house.

2006-12-31T20:38:00.000+02:00

There have been so many action movies where the use of access tokens is demonstrated. They really are small devices which usually provide a long string of numbers, which periodically changes and only the device owner knows about it. Therefore it must be the ultimate form of secure authentication. Right?

Well, it's not a bad idea to start with. The problem is that humans are always involved in the process. Like an IT Security director who suggested users should attach their personal access token on the computer they are using to prevent them from misplacing it. OMG. It's like using a sticker with your username and password on top of the screen, version 2.0.

As you can understand the system itself may be sufficiently secure but the way it is deployed and used may severely counteract its benefits.

P.S.: And of course there have been and always will be stupid people :P

Putting emotions aside.

2006-12-22T22:49:00.000+02:00

Today I was talking to a friend of mine about a project I'm working on and the PKI in general. We analyzed the current issues concerning end-user security, whether it's an ATM PIN or a website's login. We agreed that the common one-factor (password) authentication is just about to expire. The world needs something better and by this I don't mean "stronger" passwords because this usually increases the complexity of the token one has to remember, therefore compromising the safety of the system. So we were sitting there, drinking coffee, talking about it and suddenly my friend said:

When it comes to security, emotion must get out of the way.

By that he meant that we should eliminate the human factor. The actual words he used were so interesting that I thought they were worth mentioning here. He spontaneously revealed the reason humans are the always the weakest link in a security chain. It's not because they can't count high enough or work 24/7. It's because they have emotions that can drive them out of logic's way and make them do things they will later regret.

Those emotions will make them "help out" a beautiful girl, sympathize for someone pretending to be their colleague or express unreasonable behavior under fear or stress.

By eliminating the human factor we eliminate fraud (OK, maybe that's not entirely true). Computer's never doubt. Their decision making mechanism is binary, something is one or zero, true or false.

Of course computers are products of humans so there you have it again, the human factor. So maybe it's not that easy to get rid of it but surely can contain it in groups of specialized people.

It's one thing having a security expert taking care of your safety and quite another You being solely responsible for it.

So the next time you read a security policy for a service, search for the You-Are-Responsible-For-The-Safety-Of-Your-Account paragraph. Don't accept it and look for something more serious.

Passwords in the hands of users.

2006-12-21T00:21:00.000+02:00

I've talked a couple of times about passwords, how strong they should be, how to strengthen them for that matter, etc. But when it comes to the average user what does he use as a password and how does he understand the whole concept?

There's an interesting article by Bruce Schneier on his weblog. The moment I saw it I had a deja vu. At first I quickly searched through this blog to see if I've already talked about it but no. So I guess it's because this is a constant issue that's been around for years.

The article is based on a research done by some guys who set up a fake MySpace login site and harvested actual user passwords. Then they ran a couple of tests on them and presented the results.

So 23% and 25% of them where 7 and 8 characters long which is good, meaning that people have realized that just because your password is secret to everyone else doesn't mean it has to be three letters long since the attacker can always start guessing.

Also, an impressive 81% are using both letters and numbers although 28% of them are just lowercase letters followed by a single digit. That might have been sufficient enough if over 90% of them weren't dictionary words or names followed by a number like "book2", "label7", etc.

Finally, the most common password was "password1" which is relatively good considering that a few years back it was just "password". So things are slowly getting better :)

At this point I feel obligated to rise a question: do we need stronger passwords or just an alternative to all of this?

Think about it. I'll get back on this...

Should Viruses Threaten Us?

2006-12-05T20:02:00.000+02:00

The last time I, and anyone I know, was infected by a computer virus it was almost 10 years ago when 1,44MB (3,5'') diskettes where in fashion. Back then, viruses where a true menace since the Internet was not popular enough and the most common file exchange method where these diskettes. At the same time Anti-virus programs had not yet proven their necessity and as a result, a single diskette (used as a means of file transfer) could infect many many computers.

Users trusted a diskette from a person simply because they trusted the person. That was totally wrong since they couldn't really know where it had been before. And without an Anti-virus or any experience on the matter they could, without knowing, use an infected computer and possibly infect others simply by sharing their files with them. It really was like the human HIV virus. The was a big problem.

Since then, many things have changed. For starters, most computers don't have 3,5'' drives any more! Of course there's the Internet which is an even worse potential point of infection since you are practically exchanging files with the entire planet but one would expect computers users had grown wiser.

In our modern world where computers come with pre-installed Anti-virus systems is it acceptable for the average user to be infected or, worse, to infect others?

Today a friend of mine was telling me how his PC got infected by an .mp3 file someone gave him. What it did was create a hidden folder every time that file was played and fill that folder with random data over and over until it took up all the space left in his hard disk. He had to format the disk and install everything from scratch to fix it. He also mentioned another case where a virus cloned itself at runtime and consumed all the CPU time, thous making the system freeze. Rebooting didn't help him since it loaded itself during boot. He had to format the disk again.

While he was talking to me I couldn't help thinking "is this right? is this supposed to happen?". I mean, for a moment I thought I was 10 years in the past exchanging diskettes. I really couldn't believe that a computer user in the year 2006 did not have an Anti-Virus system installed and, worse, that a large computer users group did not shield themselves against such old and common threats.

From what I understood he didn't care much about the incident and, in his mind, thought of this as a totally normal thing because "computers break" and you have to "format them quite often to keep them in shape". Is he mad?! First of all, formatting your master hard drive should be the absolutely last choice you have and, frankly, I can't really think of a problem that demands this kind of solution. Secondly, I can't get over this belief that computers are "mysterious machines that may refuse to start or work properly for no reason". I believe we had almost two decades to familiarize with them so if you feel funny around computers maybe you are falling behind. Try to keep up!

In my little Utopian mind I picture a world where no viruses are left lying around just because everyone is keeping them out of their PC.

Sadly viruses are out there and are more mean and destructive as ever and we've simply forgotten about them. We feel safe when we shouldn't. We may not hear about them or see them before us simply because they are in hibernation. The first chance they get though, we'll know they are there the nasty way.

To sum up, unfortunately we haven't gotten rid of viruses so it's better to keep an eye for them since all it takes is a low-tech piece of code that will get you in trouble when you least expect it. Things can change and will change as soon as we treat our computers with responsibility and understanding.

P.S.: This page has been scanned for known viruses and found clean :)

Why Passwords are a Bad Idea...

2006-12-04T22:52:00.000+02:00

BBC News has an interesting article on how passwords may weaken our security by far.

It goes on saying that, according to the UK's International Telecommunications Union, people nowadays have so many passwords to remember for so many different places that they inevitably start re-using the same keys again and again (in the worst case of all, the same password is applied to all authorization queries). As a result, it is quite easy to compromise a man's electronic identity (his online accounts to forums, commercial and banking services, e-mail, etc) just by cracking one or two of his codes (which may also be easy to guess - don't forget about brute forcing and common words). And of course many variant schemes may be seen here. For example if an e-mail account is compromised and the attacker uses the "remind my password" feature to all web sites the user is subscribed in, there's a great portion of them that will return the actual code is clear text via e-mail.

So there you have it, passwords are making people's life hard and at the same time increasing their sense of insecurity. They can't remember all of them! So they start writing them down on a piece of paper which they keep inside their wallet. Or they use (common passwords) their birthday or license plates' number and in general they violate one-by-one all keeping-passwords-safe rules.

And I'm wondering, is it time to move forward to something else? And if yes, what might that be?

Let's consider PKI for a moment. It stands for Public Key Infrastructure. I won't get into too many details here (maybe another time). Just thing of this as a system where all you need is a smart card (looks like a credit card) which holds all your information (identification, license, commercial and banking accounts, private keys). This card is password-protected so you do have to remember one password. Maybe there'll be a next version where there is no password and a biometric sensor protects the card's contents.

Anyway, with a single smart card you can exchange, through secure software, all the necessary authentication info with your e-mail provider (to access your messages), your bank (to check and manage your balance), e-commerce sites (shop online and all) and of course any other place on the WWW in which you need to properly identify yourself in order to gain access.

While some may think of this as a bad idea because all your keys are in one place, a single card - aka single point of failure, which is easy to be stolen and / or compromised. Well that's not exactly true. The card itself is very secure. Yes, someone may steal it from you since it is a physical item but it is highly unlikely he will ever be able to access its contents. So your secrets are safe and your life a lot easier.

After all, strengthening security should never be towards the end-user.

This will make things difficult for him and cause him to compromise his own identity. The PKI concept really means for the end-user to have a single card in his pocket which he must use upon login and take away upon logout. As simple as that and everybody is happy :)

This is a big issue and I'll get back on this sometime soon.

Bottomline, forget about passwords!

Programmers please do meet Designers

2006-11-29T13:04:00.000+02:00

As an open source programmer I try to make my code very flexible and customizable. This means that my code may be read by someone else and take extra modules or be applied in various environments and still behave in an optimal way. This is achieved through a variety of options and parameters passed at run time by the end user. Sounds cool, right?

Well, this demands a configuration file, in the worst case, as long as the number of options the code parses. Of course all is set to default and the end user may never notice but what happens when we go GUI?

A Graphical User Interface is connected to a "user-friendly" way of controlling a program or a computer in general. The problem starts with the way people understand this. For me, user-friendly is when I am given a list of options (well documented of course) which shape the program according to my wish. For someone else, user-friendly is a program which contains only one button "Run" and NO options. The user clicks "Run" and it runs, no questions asked. The user will never understand what is going on. The program may not work properly or may not work at all. The user doesn't know. As long as nice balloon messages pop up, everything is smooth.

So... it is very important to take the burden of GUI from programmers and establish communication channels with designers. Otherwise you'll get something like this:

Combating Keyloggers

2006-11-29T12:27:00.000+02:00

Ever found your self in an Internet Cafe checking your e-mail or a forum you are registered in? Did you stop for a moment to assess your security? Is someone looking over your shoulder? Is someone watching you in any way? Is the computer you are logged in infected with programs recording every keystroke? (You can't really check that one) No? Well, you should!

Ideally your presence in a public Internet access place should be entirely transparent. This means you should not type in at any time any personal information (no form filling, no logging in).

Anyway, I've come across a very interesting paper (PDF) which describes a simple yet effective technique in entering secure credentials in a compromised computer. It all begins with the basic principle in security: always assume someone is listening. So let's say you are sitting in a public computer. Always assume there's a keylogger installed which records every keystroke therefore is able to record your username and password as you type them.

For every valid username or password character you type, click somewhere outside the form and hit a long string of random characters. Then go back inside the form and continue with the second character, etc. That way while you'll have entered "ABC" as you password, the malicious software will have recorded "AasdsalklkblB9rbvmdsaCdg9tmbafff" (capital letters are used to distinguish the actual token).

This works because the keylogger may know that you are inside an internet Browser and what keys you press but cannot figure out the exact location of the keyboard cursor.

Sounds like a good trick huh? Well, I agree. It is pretty good. But let's be smart about using it.

[ Debugging... ]

Improper use of any security technique is all it takes to render it useless.

In the above method you should not type the same password twice in the same computer because, as you can understand, patterns emerge. So if I type:

AasdsalklkblB9rbvmdsaCdg9tmbafff
AlkfdlgmkmbkdasB324kfdlklCkfkbba
dmfdlkdsAmmkdgfg552BdfdffdCcba

we have three strings of characters all containing, for sure, the actual password.

Now all we have to do is use a known algorithm which uses certain known characteristics to crack the system. For starters if a certain letter or number or symbol is not present in all three tokens, it is excluded since it can't be part of the password (which exists in all three). Next, there's the sequence of characters. If for example we encounter the sequence "mb" (and not the sequence "bm") in only one or two of the tokens then either "m" or "b" have to excluded. The algorithm goes on so that only a few characters are left and then we start with possible combinations. If we take into account that most users use 5-8 character-long passwords, a brute force won't be too hard.

Of course there's always the smart way called Longest Common Subsequence problem.

Let's sum up...

what we have here is a very practical technique in protecting our sensitive information from a keylogger. But we must use it wisely and only once since patterns emerge which can bring the whole thing down.

P.S.: Also please consider the majority of users, when asked to type in a random string, will go for "asdf..." due to their fingers' position on the keyboard. Not so random :P
So here you have another characteristic which can make the cracker's life a lot easier.

RFID Passports Cracked

2006-11-18T20:39:00.000+02:00

It seems that the new uber-secure RFID Passports issued by many European countries after pressure from the U.S. are not that secure after all.

RFID Passports are ordinary-looking passports containing, besides the "human readable" information and authenticity signs, a Radio-Frequency Identification Chip which stores all printed information (and more) and transmits them to wireless readers used at Border Control. The reason for the chip's existence is that it is considered (or at least was) impossible to copy or forge so that even if a malicious person managed to reproduce the actual document he would never make it in producing a valid chip to complete the passport.

So one could ask "what if I buy an RF Reader for $9.99?". Well, authorities are using the 3DES encryption algorithm to encrypt the information on the chip. It is currently considered an above average method, providing 112 bit effective security.

The problem starts with the (known) fact that three public pieces of information are used to build the encryption key: (in the exact order) the passport's serial number + the owner's birth date + the passport's expiry date. So... you don't have to attack the encryption! Just find out (pretty easily) that kind of information and you have yourself the actual encryption/decryption key. Then you can go home, in your garage and clone or modify the chip's contents.

This is very much disturbing since the whole purpose for the new passports was the security provided by that chip but it turns out there are a few wide cracks in it.

[...]

Another problem with these passports is that they transmit in the air and that they are (normally) unique. So... one could identify you by placing an RF Reader inside a dumpster that you walk by every day. And maybe place a bomb inside that would go off if you and only you be in proximity.

Of course, official authorities have issued passports sleeves that act as "RF shields". According to this the chip cannot be read from inside that sleeve and you only take it out just before the police checkpoint. Well, it has been demonstrated that even then, the chip can be read. You just have to be really close to the subject. Doesn't seem like a problem when you are packed up against each other in a crowded area like the subway or a huge waiting line in the airport.

To sum up, current government efforts to control foreigners in their countries seem like panicked maneuvers of a nation under attack. If they feel that way, then somebody should admit it and then maybe we can all go home at toss those e-passports away (maybe shred them and burn them just to be safe).

And for the last time, just leave cryptographers to deal with cryptography issues!

Committee members are excellent at screwing it all up.

Goodnight.

"For your convenience"

2006-11-06T03:22:00.000+02:00

It is a common joke here in Greece the story about a boyscout who desperately wants to do his good deed for the day and helps an old woman cross the street although she preferred to stay on the other side. The last few years many services online tend to do things for us, before us.

For example, today I received a World of Warcraft 10-day free pass from a friend of mine. According to the instructions all I had to do was install the game and create an account using the key written on the pass to play for free on the WoW servers. Right? Wrong! During the account creation process Blizzard asked me for my credit card number. Why? So that should I wish to continue my "online experience" I won't have to go through a new registration process and possibly don't make it in time to keep my current character in the game. In fact the disclaimer insists that this is for my own "convenience" and that if I make that choice (to renew my subscription), my credit card will be automatically billed every time my pre-paid time expired to ensure "undisrupted gameplay". The above are an essential step in the "free" account registration process. If I want to get a free account, I have to fill in my credit card number. I may stop playing at the end of the 10-day free period and never get a new subscription ever again. It doesn't matter for them. They still need my credit card information. Of course I do not believe this is a scam and that I'll be billed but what a minute.

The problem is that Blizzard will store and manage my sensitive credit card details according to its policy. Well, I do NOT trust that policy. Having that information available in some hard disk somewhere in the world does NOT make feel safe. And what if some cracker manages to compromise the safety of their systems? Certainly no one can claim they have a "hack-proof" system. You never know the next point of penetration until you are penetrated in that way. So why do I have to worry about that?

Giving your credit card for an one-time automated billing process is one thing and keeping it stored for the future is quite another. The people who use the second policy have to say in their defence that the user does not have to go through the information fill-in process again and again. I don't mind. As long as we are talking about SSL sessions I really don't mind typing in a few letters and numbers every time I want to buy something.

So this is a classic case where they make me give up my information for them to store in order to make a single purchase. I may never get anything from them in the future. That doesn't matter. For my "convenience" and "service" they'll keep that information. Well, if they care so much about my "convenience" why don't they take the time to ask me what I really want?

How safe do you feel about your online accounts? Right now, this moment, assume your identity is compromised. What would you lose? Do you have your credit card details stored somewhere? Assume they are compromised. How much money do you have in your bank account? Think about it.

These things scare people off the net. It's not me or any other guy talking about security and possible attacks. It's the marketing departments of companies providing "digital ease" and then when someone hacks in one of these databases and it hits the newspapers everyone is terrified and talking about how vulnerable we are against these "criminals".

Let's go back to the Blizzard case. I did not give my credit card. For a moment I considered opening another bank account and having a second credit card, linked to that account, so that I can contain a possible disaster (I would keep a very limited amount of money there etc). Then again why should I do it? Why should I get into paperwork and banks and ultimately employ a very "inconvenient" way in order to register in a system designed for my "convenience"? And what if I do not have a credit card? World of Warcraft subscriptions may be payed with the use of pre-paid cards sold in stores. Many people, especially teenagers, use them. So there's an alternative payment method for full-time subscriptions but not for guests.

To sum up, the "free guest pass", designed to bring people in the game, worked exactly the opposite way for me. And any other "smart" system that works for my "own good" without asking me what I really want will never have me as a customer.

Dear Blizzard,

I am not technophobic or anything. In fact the majority of my purchases are placed online. I am into technology and that's why I want to see things getting more secure and therefore more user-friendly. I JUST DO NOT TRUST YOU GUYS.

Reorder accounts in Thunderbird

2006-11-03T20:21:00.000+02:00

Ever wanted to change the order in which Thunderbird presented your e-mail accounts in the left panel? Me too. Unfortunately it is not that easy for a novice user.

First of all, I tried to think like the people who wrote it. We' re talking about serious developers here. So it is common to allow a lot of configuration/customization to be done through special files (known as "conf" files). These files contain text which is interpreted by the application at runtime and are an excellent way to pass many arguments. This provides much more options that the typical "Options" button under the Tools menu.

So I started looking around my Thunderbird Profile folder until I found "prefs.js". I opened it using a serious text editor like Notepad++ to find the entry:

user_pref("mail.accountmanager.accounts", "account1,account2,account3");

I experimented by swapping "account1" with "account3" and restarted Thunderbird. And guess what, it worked!

Excellent Tip if you ask me :)

Oh, make sure you are not running Thunderbird while modifying this file and, just to be safe, take a backup before doing anything.

P.S.: You Profile folder should be located under "C:\Documents and Settings\[username]\Application Data\Thunderbird\Profiles\"

One click away from doom

2006-10-29T02:49:00.000+03:00

Recently I caught my self observing various high-level graphical interfaces used in web services. All of them were custom-made solutions made by small companies yet used by large organizations and universities. In most cases they try to save some money. That's quite a big mistake since large-scale commercial applications have been tested and are supported by entire groups of programmers. On the other hand, something your local two-man dev team will present will be buggy and incomplete and the drill always has to do with the programmers standing by the client and fixing stuff on the fly. In the end, the result will be something that "just works".
How about quality of service?

I would like to go pass the bugs and focus on usability. Many times two buttons are placed next to each other: one commonly used and a very "dangerous" one like "delete" or "submit". I mean it is a matter of time before some user "misses" and clicks the wrong button. Why? Because someone tried to get the "cheap" solution and look good to his boss.

To a certain extend I understand the guy who made it. I am a programmer myself and don't pay much attention to design (and GUIs in general). On the other hand, I would never choose my self to develop from scratch something big and important because I know I would make mistakes that have already been done and would ignore certain things that have already been pointed out. Nobody can know everything. One must be wise enough to make that call while discarding any influence coming from his ego.

I am thinking about the guy who decided to hire a local crew to do the job. Obviously he doesn't understand much about the job to be done. Probably he is some financial analyst with no idea about computers or software. I bet he has never written a single line of code. Because if he had, he would know that all he did was undermine the entire group of people that would have to use the system. He has one chance to bring in a service and he made the wrong choice. It'll be another 10 years before the system is revised and even then it is doubtful whether they will replace it or not.

In the end of the day, it is these things that make the life of computer users harder and therefore enhance the myth that "these damn PCs are a pain in the neck. We would be better off without them".

Think Big, Program Less

2006-10-20T15:34:00.000+03:00

Today I was programming an indexing application in Java. It starts from a specified path and creates a Hash table with all files in that path and all folders underneath. Its purpose is to find duplicate files even if their filename is different. The code is pretty simple but I made one critical mistake: I didn't stop and think how my procedures would behave in a large scale. That cost me about an hour of debugging (more like my head banging against the wall).

Here is the problem: Although the code is correct, it recursively does it all in a single method. This means the Garbage Collector, Java's memory freeing mechanism, won't do anything until this entity is no longer in use. As a result no memory is being freed during the application's operation. This is very hard to notice when using small files as a test bench but what happens when you have to index a couple of dozen of gigabytes? I'll tell you what happens: withing the first seconds of runtime, the application consumes all available memory and the Virtual Machine crashes. If you feed (the beast) with more memory it will simply grow bigger before crashing but will never finish. Only if you could provide virtual memory equal to the total size of the files to index, the application would complete its job but that's impossible and of course a very very very very very very bad idea!

The solution: design a new method explicitly for hashing the files, one at a time. So for every file, you invoke that method, load its contents in memory, digest them, unload the method, release its contents (for the appetite of the Garbage Collector) and return the result. So simple! And again let me stress out that the unsuspected developer would consider the two approaches as equal.

I was pretty sure my application would work the first time and was about to release it through my web site when, just for the fun of it, decided to check out if I had any duplicate MP3s. Out of pure luck I discovered that my code would behave very badly (or if you like, would not behave at all) under real-life conditions.

What I've learned from this is to think out of the box (at least try) and try different angles when designing something. My point of view may be entirely different that yours and I have to take all factors into account if I expect my programs to function properly in systems besides my own :)
Oh, there's another useful point that comes out here: you may be using a high-level language but you must never forget your computer's architecture and capabilities. In this case, don't forget about memory management just because Garbage Collector does it for you.

P.S.: This reminded me of a major bug caused by the overflow of a common “int i” temporary variable in an “average number calculation” implementation. I remember pointing out that certain programming “habits” should be revised to avoid (at best) the embarrassment. You can find the story here.

Tactile Passwords could strengthen our security

2006-10-20T02:00:00.000+03:00

There's an interesting article over at NewsScientistTech on "Tactile Passwords", a user need-to-know authentication method that relies in the sense of touch. This means that one doesn't have to type in or pronounce a string of characters or numbers, just remember a tactile pattern (or sequence of patterns) and select it upon challenge by a security system.

In detail, Braille-like devices (already employed by visually impaired people) are used to carry patterns to the user's fingertips. Then, the user must click (or somehow select) the ones corresponding to the unique sequence he was given by the Certificate Authority. It's like the machine is asking you "Is ABC your password?" and if it is, you answer "Yes". This may seem stupid at first sight but think about it.

No sensitive information is exposed on a screen or keypad but tiny pins under your fingertips, which only you (the person in contact) may feel and "read", perform the authentication process. Of course the sequence of patterns is randomized each time but that's a detail.

I believe this is a very interesting idea when it comes to safeguarding a critical point in user authentication: the one-factor (aka password) policy. Every time you type in your ATM PIN code or any other code for that matter you shield (or should do so) the keypad with your hand. Why? Because anyone standing behind you could see what you are typing. This is the same reason asterisks, instead of the actual password, appear on the screen. "Shoulder-Surfing" is a big headache to security experts. Could this be the end of it?

Of course I, being a little more paranoid, believe that any place where some stranger may stand behind you while typing a PIN code is not a safe place. He can always stick a weapon in your back and force you to type the correct code. As you can see, if you have to worry about someone observing your actions, you have to worry about even more serious things. Anyway, just giving some food for thought.

P.S.: If you can't picture the tactile authentication devices, check this out. It looks like a common mouse, doesn't it? :)

Who's messing with my mail?

2006-10-13T14:00:00.000+03:00

Everyday I see mailing lists that allow uncontrolled (un)subscription. That means that all you have to do is type in your e-mail address to join/leave that list. Why is that wrong?

Because if you know a guy's address you may subscribe him to spam/porn/etc lists despite his will. You don't get much profit out of this except the fact that you make his life a little bit harder (sorting out the spam). For example I beginning to believe that someone is giving away the list address of an academic class I am attending (the teacher is a pain the neck and many of his students would like to get back at him). Also, if you know that someone is subscribed to a usefull (to him) list, you may unsubscribe him at any time, preventing him from receiving future updates and news.

It's like someone can subscribe you or rivert/cancel your subscription to a magazine or, worse, divert you bills so that you never receive them and therefore never pay them. As you can see, it IS a big deal!

All mailing lists should provide a verification link/code every time you try to add/modify/remove an entry to their system.

dodgeit.com: Beat 'em in their own game

2006-10-10T19:03:00.000+03:00

Having an e-mail account is common these days. In fact, most people have more than one. So, there is a tendency among web sites to ask for your e-mail in order to track you down somehow or keep statistics of their own. For example, wanna download sth? give us your e-mail! This doesn't seem so bad at first but wait a minute! Giving away your address lets them know where they can reach you. And unfortunately a great deal of them takes advantage of that. For starters they decide to subscribe you to their mailing list, sending your their daily or weekly newsletter. Others sell your address to marketing firms which in turn use it to promote their customers' products.

In the end you end up with a dozen or so e-mails a day in your Inbox that you don't care and never asked for. What can you do?

Well, there yet another solution to this: dodgeit.com

Next time you are asked for your e-mail, give a random blabla37@dodgeit.com. No registration required! After that, visit dodgeit.com and check your e-mail (still without any registration or password). Pretty cool, huh?

Another interesting aspect of this: can you think of common usernames other people would use? Like nobody@dodgeit.com or person@dodgeit.com, etc? Try entering some of them in the site and you'll get a list of the e-mails these people got. So next time you register to a forum or sth, use a hotmail/gmail/yahoo account instead!

Dominos GR: Anonymous Pranks Inside!

2006-10-05T17:49:00.000+03:00

It is a common prank to order pizza for someone else by forging their id. All you have to do is give the other guy's name and address and only imagine his surprise when he opens the door to find the delivery guy holding 5 extra-large pizzas. Of course pizzerias use caller-id to avoid taking orders from third-party numbers. So far so good.

But here comes the Internet to spice things up! The greek branch of Dominos, located at dominos.gr, let's you place online orders using a pretty lame authentication system. All the users have to enter, is their phone number and street number (just the number not the street name). The first time you order, you have to do it by the phone so that you provide all your details. The second time though, by entering your phone number in the website form, they pull your record and carry out the order. In fact the online accounts use the same database as the dial-in customers.

Do you see the problem here?

If I know a guy who orders from dominos (he doesn't even have to order online) I can easily lookup his phone number (courtesy of the national, public phone records) and his address. So I can bill him with a dozen or so pizzas. The advantage against the original phone prank is that in this case I cannot be traced! Whether I am using a dynamic ISP IP (the records are classified and no warrant will ever be granted for that purpose), a public hot-spot or Internet cafe or even Tor, I pretty much stay under the radar.

I don't get these guys. The information they need to log you in is public domain! Anyone, anywhere, at any time may access it, copy it and use it freely. How about that? LOL!

Yahoo Redirection Hole Exploited by Phishers

2006-10-04T08:39:00.000+03:00

Every day I get quite a few spam e-mails. Normally I just delete them but today I'm in an investingating mood :)

So, I got this message titled "eBay Member" from "aw-confirm@eBay.com". First of all, I took a look at the header to find out it had been sent through a german gateway. Why would the famous online auction site stationed in the U.S. use such a server? It wouldn't!

And of course there was a link (hidden under HTML) pointing to

If you visit that pretty long and suspicious link you get a web site just like the eBay.com login page only the SSL icon is missing. And this is because only the original site is in possession of the certificate.

Anyway. Last month I talked about a google redirection hole but then again almost all search engines suffer from similar exploits. Yahoo is one of them. The question is what can we do to fill these holes while preserving the freedom of information and user-friendliness of the service.

Finally, one thing that keeps us somehow safe from phishers is that everybody speaks greek and all these e-mails are in english so in the majority of cases you have no business with a foreign service and disregard it. I could only imagine what would happen if they were written in our native language.

Leaking your info on the net...

2006-09-25T18:43:00.000+03:00

It's been 8 years since I purchased Windows 98. At that time I felt really good about my self buying an "advanced Operating System". Of course later I realised I had payed for something that didn't work well most of the time. Anyway, I was living the dream. I was the proud of owner of Windows so I had no second thoughts entering my personal information during the Installation.

Not long after that I found out in horror that web pages could read that information and store/forward them. How did they get that? Well, I started finding cookies in my hard disk titled "firstname.lastname@domain". That's right. It was courtesy of Microsoft :/

Every time someone asked for my details, Windows kindly provided them! At no time did I receive such notification or warning. My name, address, phone number etc where transmitted transparenty to the web.

I remember immediately formatting my hard disk (which does not wipe out sensitive data but at least renders them inaccessible to Windows) and installing the OS under a fake name. I, the legal owner of an overpriced OS, had to forge my identity to ensure some, partial anonymity.

Since then, I developed a fear against entering my name anywhere. Privacy statements go right out the window for me. Whether it is a well-known web site (companies, service providers) or a no-name one, it's one and the same. I simply do NOT trust them. I am not ashamed to state so. I am not fealing paranoid. I just feal you are NOT good enough to protect my privacy. Goodbye now.

How friendly are "User-Friendly" applications?

2006-09-20T03:23:00.000+03:00

Not too many years ago, computer software was just green text on a blank screen with a bleeping cursor. As soon as PCs became popular the term "user-friendly" was born and carried out by the marketing departments of software vendors. What they were trying to do is make a computer and its software more appealing to the average person: colors, icons, tooltips and helpboxes were deployed. In the same spirit, they enforced to the companies' development department an abstraction policy which kept "technical stuff" hidden so that the software users were not confused.

So far everything seems ok and the intension itself is pretty right (make PCs accessible to everyone) but something went wrong on the way. Software that keeps its technical part hidden should operate perfectly (aka bug-free) at the same time. Otherwise when you face trouble, you can't trace it back to its source and fix it/find more about it.

Today's example is Windows Live Messenger but this goes for all software that tend to be "user-friendly". I had this problem: if I chose for the program to remember my password, I was logged in but my contact list was not updated correctly. All my contacts were located under "Other Contacts" and my custom-made categories remained emtpy. I checked with my Hotmail account to make sure that my address book was in order but for some reason the Messenger could not synchronize. Then I tried removing the "remember-me" option so I had to type-in my password every time and, guess what, the synchronization was done perfectly! I mean... omg!

This behavior would stumble the average user who would just say "Windows Sucks". On the other hand, I quickly suspected that in the first case, some local caching was done (save my password, maybe some profile info and stuff) while in the second, all information was downloaded from the server. Yet I had no way of fixing this (clear the cache). At least not from within the Messenger. How friendly is that?

The programmers, in an attempt to keep me away from "technical stuff", have hidden (in fact scattered) all program files. As far as I can tell there's "Program Files", "Documents and Settings\MyUsername\Application Data" and "Documents and Settings\MyUsername\Local Settings\Application Data". Of course these folders are marked hidden so, in normal circumstances, they are invisible to you.

I had to use Tools > Folder Options to View All Hidden Files and Folders, then search my way through Application Data and find a folder titled "Windows Live Contacts". Still I wasn't sure it was the solution to my problem. Anyway, I deleted it and restarted Messenger. WoW! It seemed I'd hit jackpot! The synchronization was done therefore I had just deleted the problematic cached files. Does anything from the above seem "user-friendly" to you?

To sum up, hidding debug options and program structure from the user means you are absolutely sure about your software's well-behavior. Otherwise at least give us a chance in fixing your stupid mistakes ourselves!

Danger! DOT GR XSS Detected!

2006-09-20T00:53:00.000+03:00

It has come to my attention that a major website, here in Greece, is vulnerable against XSS attacks. I would expect something better from these guys. That site, which I do not intend to reveal for obvious reasons, is actively present in the IT market and one would think it employeed trained professionals. Yet, right there in the front page a huge exploit relies. I haven't done any serious digging but I expect to find more oversights.

As I've written before, XSS (aka Cross Site Scripting) is happening right now while not only programmers but security experts haven't even heard of it. Eventually they'll get to know it the hard way I guess.

Gimme the address & keys to your house!

2006-09-18T23:49:00.000+03:00

Today I received an e-mail from a friend of mine asking me to take a poll about her self ("Do you think I'm smart or do you think I'm sweet?" - Like there's no way she can be both). Anyway, I did answer (don't ask) by following a link to the poll-hosting website. After that, I thought it would be a good idea to set up a similar poll about me and send it to a few people.

It was then that the website asked me to enter my hotmail login and password!!!

The idea was good I guess: they wanted access to my hotmail address book so that the poll I had just created would be forwarded to all of my contacts! Let's say for a moment that spamming my entire address book is ok.

But asking me for my password? What assurances do I get that they will not keep it in some database? I mean giving away my password is a pretty stupid thing to do. The official hotmail services will NEVER ask for it. It may seem convenient to automatically get the e-mail addresses but at what cost?

Anyway, let's say that I am not the least bit suspicious about this and believe they will not store or use my password against my will. Here comes insanity number 2!

The session was not encrypted! No SSL! No nothing! Do you know what that means? The password is transmitted to the server in plain text! That's right, your hotmail password (along with the username) is transmitted from your PC, over a dozen Internet hops and to the server. Anyone may read it in any step of the way with absolutely no effort.

So let's recap: A noname website, in order to conduct a survey among your contacts, asks for your hotmail username and password. That password grants it full access to your messages, contacts and configuration - not just to the address book. Also, that password is transmitted in plain text on its way to their server so any malicious user can read it.

To provide solid proof for this I conducted a little experiment. For the purposes of this, my e-mail will be "testing4this4out" and my password "mypassword". I filled that info in while having a packet sniffer running in the background. The result? As soon as I clicked the submit button I got the following screen in the sniffer...

(If it's too small for you to read, click on it and you'll get the larger version)
As you can see, my e-mail and password appear before you. If this was real life, I would be totally compromised. End of Story.

To conclude, I find it preposterous being asked for my password by a third-party. Moreover when that party does nothing to protect such sensitive information. It seems that we have to look out for ourselves and be constantly on our toes to avoid, the least, an unpleasant situation.

Wireless Security Revised

2006-09-16T20:15:00.000+03:00

There have been talks and talks about Wireless Security but what does the average user know and, more importantly, what does he apply?

Last night I logged in a popular technology forum. It's one of those places where users talks with users and help each other.

A while ago there was a talk (in another forum) I participated in which examined whether forums are the new generation of information or just Unreliable Gossip 2.0. From one point of view, forums allow and promote freedom of speech. Anyone from anywhere may say what he/she has to say. No borders, no boundaries and no censorship. On the other hand, that uncontrollable model of information is susceptible to the "psychology of the group". This means that rumors can easily spread, facts can be twisted and ultimately have dozens or hunders or thousands of people misinformed (I might say deceived) just because "everybody else thinks so". That's the problem right there.

When it comes to critical user-to-user advice, how sure can one be he's getting the right info?

Now, let's get back to the popular technology forum and yet another Thread on Wireless Security. A lot of people in there consider WEP secure, some suggest disabling DHCP and applying a hidden SSID setting and the majority considers MAC Filtering as an effective action. Of course the above will only keep out of a Wi-Fi Network users with the same intellectual level as the ones proposing them. Then again such users don't attack other networks. If they are lucky, when they turn on the computer, it will automatically associate to a network and get an IP through DHCP. Determined attackers on the other hand may penetrate these protective measures in no time.

That's why I consider these tips more dangerous and harmful than any malicious hacker.

The reason is they provide a false blanket of security. Most of these people think "if user1 and user2 suggest them, it's ok". Then, these people, when asked by others to contribute, will replay the same false information as if it was their own, completing an endless loop. Finally a more literate user mentioned WPA/WPA2. That's pretty good unless you use a common dictionary word or name as your Pre-Shared Key.

To sum up, it has been my intention to illustrate the present situation among "user communities" on (wireless) security issues. I would never trust (or at least accept "as-it-is") information from Bob235 or PurpleBeast (the names are fictional), why would you?

Detecting Tor

2006-09-15T18:01:00.000+03:00

Talking about Tor with RSnake has produced some interesting points:

First of all, the use of Tor can be detected. In detail, Privoxy - a proxy working with Tor to provide web surfing anonymity - tends to block certain website elements that may blow a user's "cover". Such behavior can be monitored by a website to determine whether a visitor is under a cloak of invisibility or not.

Also, as pointed out, Tor network uses the domain extension .onion (like .com). Of course that is inaccessible outside the network so there you have it, another detection way. If such page gets a hit, the user is using Tor. Of course the user's anonymity is not compromised in any way since one can never be sure about the given IP. Yet this method is a potential tool for content providers who aim in restricting access to identifiable users.

Tor still remains one of the best ways of operating in insecure networks.

Windows: Vulnerable by Design

2006-08-24T00:48:00.000+03:00

I'm coming around one of my (and probably your) favorite subjects, Windows and Their Evil Nature. Talking about this OS and how it is so insecure is one hot topic. It's just I've never sat down to write a few pointers on the subject. And guess what! Tom Yager in InfoWorld has done it for me. Oh boy!! Anyway :P

Just a few quotes from the article...

All Windows background processes/daemons are spawned from a single hyper-privileged process and referred to as services.

By default, Windows launches all services with SYSTEM-level privileges.

What this means is that if an attacker finds a flaw in a Windows process and manages to inject code, it will be executed with SYSTEM privileges. Bad bad thing! Btw, do you know the average number of flaws/bugs per line of code? Google it and you'll be surprised with the answer.
Another thing I'd like to add is that all these high-priviledged services are running by default in any system. What this means? That all of us have more that a dozen running services which we will never need but at the same time pose a great security risk because of a potential exploit in them!

Windows requires that users log in with administrative privileges to install software, which causes many to use privileged accounts for day-to-day usage.

This is so common that most of you think of it as standard. No! Using your computer with an administrator account is also a bad bad thing. Why? Because if malicious code is executed somehow in your account it will have admin rights and believe me a large (maybe the largest) portion of malcode needs these rights. You think you are smart enough? Think again. I am not talking about clicking .exe files sent to you over IRC. I am talking about XSS running javascript, remote code execution exploits and many more. Even a simple .bat written by some brat with cp and rm commands aiming to mess up your system. Unfortunately if you switch to a user-level account you will feel disabled most of the time. Well you shouldn't be.

I could talk about these things for days but I guess it's a good time to stop now, just for today. If you find these interesting go on and read the article.

Oh, Slackware >> Windows :P

Public Web Surfing

2006-08-23T03:32:00.000+03:00

The New York Times has an article on safely using public networks (e.g. Wi-Fi hotspots) or public computers (e.g. at an internet cafe or airport). The author points out that most users leave too many traces behind them after using their computer in a public network or using a public computer. These traces may be from browser cookies to passwords and work documents.

It is true that most people are just computer users meaning they don't know and don't care about technical issues, including security. So someone is on the move, wants to check his/her e-mail or contact a friend, connects to a hot spot or visits an Internet cafe. In any case, malicious people could "snif" what he/she does and steal almost anything this user sends or receives.

Of course there are many things one can do to protect him/her self. Everything has to do with attitude: First of all more and more people have laptops so using a public computer is rare. Yet, if you ever need one, keep in mind that it's like talking on a public phone in the middle of a square. Would you yell your ATM PIN over the phone or your e-mail password? No! Hell, No! The same rule applies here. When typing in passwords *always* make sure you are using SSL. If not, just quit. The problem is someone could plant a keylogger in that public PC and collect tons of information. For that reason these PCs are restarted between different users and any specific user-specific programs or data are wipped out. But you can never be too safe so consider public PCs the last possible solution. When using your own laptop you are at least safe from malicious programs. Eavesdroppers do exist though. Check here too for SSL and don't even think about logging in otherwise.

Go ahead, check the article. The author tries to ring the bell to those who are totally unsuspected of the potential dangers but may end up scaring them into ineffective techniques which only offer the illusion of safety. Another point I disagree with is the listing of "security tips" like encryption software and VPN. As I've just said users who don't know how to deal with this stuff are likely to a) lock themselves out of important files b) use a VPN in such way that no protection is provided c) get tricked too easily.

To sum up, public web surfing is certainly a great service allowing you to talk, work, have fun while on the move but, as any public means of communication, should not carry sensitive information. If that is absolutely necessary, there are ways to ensure privacy. The thing is that Security Policies and Techniques for "Private Public Web Surfing" should be applied by trained professionals and not layed upon the hands of ignorant users.

P.S.: To read the article you'll be prompted for a username and a password. Since registration is free I don't see any point in this. I mean they restrict access to registered users but then again, anyone can register! So why not leave the access totally public? Anyway, use goaway147:goaway as username:password (thanks to bugmenot.com).

Google Redirection Hole used for Phishing

2006-08-22T20:58:00.000+03:00

It's official. Google's redirection hole, formerly used for spam, is currently an excellent tool in the hands of phishers.

Why is this bad? Because 99% of Internet users trust google and when they see a link starting with "www.google.com" they think it's part of google or a site google knows about and has included it in its structure. WRONG!

What do I mean? Check this out...

This url (one line) starts with one of the most recognizable domains in the world but what comes next? An unverified IP address and after that the words "signin" and "ebay". Just for testing, try opening it with your browser. It's safe from javascript and stuff. It's just an example. Or try this: append a url of your choice next to "url?q=" and paste the entire thing in your browser. WoW.

This is a huge hole. Anyone can have google as his referrer to a malicious site. Just for the sake of it try entering the link from above (if you haven't done already). And open another tab in your browser with the real signin page from ebay.com. Can you tell the difference? An experienced (or suspicious) user might notice there is no SSL established in the fake page but that's something most victims don't even know about.

Oh and by the way this issue has been known for over six months :P

How To Write Unmaintainable Code

2006-08-20T18:33:00.000+03:00

Following BOFH guidelines demands a little bit more than writting code without comments. In this must-have guide you will learn essential tips in making a code maintainer's life a living hell. It will also guarantee you a life-time contract at your job since no reasonable man will kick you out and except their software to keep running.

Next Gen Search: Photo ID Lookup

2006-08-19T22:24:00.000+03:00

Every time you add a picture to your gmail contact's profile, you are asked to crop it to seperate the face from the body. So Google has, somewhere, a huge database with people's headshots tied with nicknames and other information. I wonder why...

Now hear this: Google was very close in acquiring Riya, a face recognition service which expanded into a visual search engine. The deal broke since Google decided to develop an in-house solution. This prooves their intentions in developing algorithms for processing and recognizing faces.

How about that? You enter google.com, search a name/nickname and download the guy's/gal's photo. Another scenario describes you taking a photo with your digital camera/cell phone, uploading it to the search engine and identify the displayed person. OMG. This is just huge. What's next? License plate identification?

Of course there are serious legal implications mainly from possible privacy violations.

To sum up, from a technological point of view this is very big (of course intelligence services have been using this thing for a decade now) but we should give it a good thought before launching it as it is. Besides, Google is already under suspicion because of its search engine (keeping user search entries) and its mailing service (filterning e-mail content to extract information). Finally, all this huge amount of data is becoming an invaluable source which is yet to be mined.

British Terror Alert by Hollywood Inc.

2006-08-19T02:29:00.000+03:00

You must have already heard about the "terror alert" issued by British law enforcement authorities, followed by "imminent attack" countermeasures such as grounding all flights, strip searching all airport travellers and of course banning all liquids (including medicine, water and baby milk) from entering the flight cabin.

At that time, the brits claimed they had "intelligence" on a large-scale terrorist attack which involved mixing certain chemicals on board and causing explosions that could bring down an entire airplane.
Authorities were in true panic since the same "intel" stated that those chemicals could be found in every-day products such as cosmetics and cleaning products. So no liquids on board and if you absolutely had to, you were forced to taste them.

Since the beginning of this I trully believed they were at least overreacting if not playing some propaganda game. Now, The Register has an interesting, detailed article which prooves all these police claims wrong and concludes that this scenario could only be implemented by Hollywood producers in the land of fiction.

Cracking some, Securing others...

2006-08-18T01:45:00.000+03:00

It seems that I am spending too much time and energy talking about stuff in other blogs that I don't take care of my own. Well, I'm not sure anyone else is reading this anyway so I guess it's cool :P

You VS Phishing

To begin with, here's an interesting post on managing security between producers and consumers. It is about Phishing and how it is certain that anything a user has to type in as authentication can be extracted from him/her one way or another. What security experts should be doing is stop trying to educate the users and start increasing security on the company's behalf. Social Engineering (that's what phishing really is) manipulates people and that is something we cannot deal with once and for all. And since we acknowledge that the weakest link is always the human, our efforts should focus on taking him out of the equation.

Yet Another XSS Issue

On the XSS frontier, according to this it is possible to enter specific ASCII characters in some web page which, when next to each other, form expressions or delimiters that can shape the code underneath. That way a user entry may place malicious code outside an tag but withing the realm of the HTML tag. This is so crazy my head is going to explode. No, it's not because I find it difficult to understand or anything. It's just that this stuff attack technologies like HyperText Media Language that are considered above suspicion and are widely used. Exploiting this automatically produces a number of victims equal to the Internet population.

So... let me get this straight, a problem so big that can affect the entire Internet but so obfuscated that cannot be seen and if seen cannot be realised. Everyday activites like opening HTML encoded e-mails or hitting a URL may expose the world to malicious attempts. And we are still sitting here?!

Smashing the Flash for Fun and Profit

Last night I was really bored so I decided to study a few flash games and find a way to cheat when submitting the score online. It really was easy. What most of these games do is send a POST to e.g. http://www.example.com/flashgames/game314/submit.asp?score=31400. If you manipulate that packet, changing score to 62800 and finally send it, you have successfully doubled your score! No verification, no nothing. Of course some games do a little checking to see if let's say 62800 is a plausible score (maybe it exceeds the maximum available points or sth). But that's also too easy to deal with.

You just have to decompile the file and take a good look at the source code which is ActionScript. To begin with, all flash games (.swf) are downloaded to your PC prior to execution so you have a copy of the title to look at. Secondly, since they are not compiled files but use an interpreted object-oriented language they contain bytecode (not machine code) which is executed at run time by your browser. That bytecode may be easily reversed using a decompiler (it actually doesn't de-compile but you get the picture). Finally ActionScript seems like pseudo-code, that is logical expressions describing the actual design of the game. These can be well-understood by humans, even non-programmers. To deal with these issues, protection methods are being used. These allow the game to be run but prevent a decompiler from taking it apart. But the truth is these protections aren't that good. They can be removed using freeware, google-found tools. Finally, ActionScript programmers use obfuscation techniques to protect their code (all other elements like graphics are left open to "borrow"). What they really do is piss somebody off since the code may be partly read using certain ways and ofcourse the code structure may always be studied using standard Hex Editors.

Since yesterday I've seen quite a few flash games with variable protection schemes. The hardest I've found used the hash of string containing the actual score plus some "secret" sequence of chars to make sure the submitted score had not been tampered with. This sequence was hard-coded in the game. I mean are they stupid or what? As I've already said, if someone is already skilled to discover the submitted values and crack the file, code obfuscation can do very little to him. So sooner or later the secret is revealed.

There's one golden rule in cryptography:
never rely on the secrecy of the algorithm.

Once the algorithm is revealed, your cover is blown. I could think of and suggest ways to improve verification issues and protect copyrights but that's not my job and I have better things to do :P

e-Shops revised

Almost two weeks ago I ordered a digital camera from a popular, computer/technology store which also operates online. The same day I received an e-mailing informing me that the specified product was out of the stock and urging me to contact an employee by phone. So I did. He claimed that a "bug" in their website showed the camera as available "withing 24 hours" while they had already filled an order from the manufactor some days before. OMG. Do you say the words "bug" followed by "website" and expect someone to shop from you again? Anyway, I made clear that no charges would be made until the product had been shipped to my location. Standard thing I guess, nothing to get excited about. Today, I called the store asking for a status on the order. "We received the items yesterday and they'll be shipped to you tomorrow". Am I missing something here? What happened to "today"? What are they going to do today? Or maybe my call was a wake-up for them to check on my account? So weekend is coming up and I'll get my package on Monday (hopefully).

Come on people! Is this the best you can do? It's the summer time and I'm a bit lazy. Had it been otherwise, I would have already canceled the order and bought the camera from somewhere else.

What these people don't seem to understand is that when you go online you are competing with the world. Thousands of e-Shops are available online providing low prices, high availability and excellent service.

Had it been otherwise, I would have already bought the camera from a country "next-door" like Germany or France. Using today's courier services I could have the product here in two days and at a price possibly lower that the one I get here.

In an open market my shopping mall extends around the world and those who stick to "standard" services won't make it through the year.

RRAS bug: How can they be so stupid?

2006-08-14T11:55:00.000+03:00

If you are reading this then two things are happening: you're running a patched Windows system or you are not running a Windows system at all. Just in case you are not patched yet, get out of here! Now! Go update!

Well... to begin with let me tell you that this is also a big one. Maybe not as big as MS06-40 but it's big. It has to do with rasmans.dll, a library used by the Routing and Remote Access Service in Windows (2000, 2003, XP). Yet another stack overflow exploit due to the ability to write arbitary values in a registry key.

In detail: every time you call a certain function (RPC) from withing that library, which uses registry keys to store information, a new registry key replaces the current (old) one. The problem starts with the value of the key being unlimited. So you can put as much data as you want resulting in a stack overflow exploit. The exploit works by just calling once to set the key to a huge value, then calling the function again to have our huge value deleted, thus triggering the overflow.

How stupid can they be?

What is it with these people?

When releasing such services with a broad range of use it is unforgiving to overlook bugs like this. Or maybe they didn't check their code? I mean Remote Procedure Call, Dynamic Host Control Protocol, Routing and Remote Access, Server Service? These things are automatically deployed in a fresh Windows Intallation. The user is never asked whether to enable these modules or not. "Windows knows best". Also, one uses them because they make his life easier so what happens? Microsoft gives absolutely no control or knowledge over these issues leaving huge back doors (they couldn't do it better even if it was intentional).

If I don't know a certain service is active how could I take it into consideration when securing my system? And if Microsoft keeps that service hidden from me, should it take care of the security too?

Btw, Microsoft has released patch MS06-36 to address this issue but, as I'm told, the patched code still contains part of the vulnerability. Nice going guys :P

Windows Users: Switching to Defcon 1

2006-08-14T11:35:00.000+03:00

Defcon stands for DEFence readiness CONditions and is a model reflecting the current state of alert. Defcon1 is the highest state indicating an imminent attack.

Security Experts all over the world expect a large scale attack against a Windows vulnerability at any moment. Microsoft has released a patch codenamed MS06-40 but there are too many users out there who don't care to download such security updates. This is so serious that the U.S. Department of Homeland Security issued an official warning. The DHS usually worries about terrorist attacks or extreme weather conditions (hurricanes, etc.). So if *they* are worried about this then *you* should be worried too. People compare the possible side effects of this to the MSBlast worm in 2003.

In detail, there's a stack overflow exploit in NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. The Server Service is a Windows NT 4.0, 2000 and XP service allowing users to share resources (files, printers etc. aka File and Printer Sharing) over a network. Using that exploit an attacker could successfuly write 370 bytes of code (payload).

Do you realise how big this is?

Do you know how many unpatched systems are out there?

Exploit code is already out taking advantage of this and causing a DoS attack to a system. Even a failed exploit attempt could result in a system restart.

It is a matter of time before someone turns the exploit code into a worm. This could be the next big thing to shock the Internet. If you still can't understand the potentials of this, shut down your PC - right now!

P.S.: As I've already mentioned a patch is available from Microsoft Windows Update. I suggest you update, if you haven't already done so.

Update: It's seems that I was left behind. Actually the first mass-exploit wave is happening right now. Attackers hijack unpatched Windows machines and use them in irc-controlled botnets. The attacks started on Sat 12 Aug 2006 and involve executing malicious code, using this exploit, install a trojan, modify security settings and connect to an irc server ready to receive commands. You will find here a detailed analysis of this tactic.

(VBS) Shutting Down Windows...

2006-08-14T03:46:00.000+03:00

Here's some vbs code I wrote:

Dim WSHShell
Set WSHShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run "shutdown -s -t 120", 1, true
Set WSHShell = Nothing
WScript.Quit(0)

As you can see, it executes "shutdown -s -t 120" which tells Windows to terminate in 120 seconds.

To counter the effect (abort the shutdown) you may use:

Dim WSHShell
Set WSHShell = WScript.CreateObject("WScript.Shell")
WSHShell.Run "shutdown -a", 1, true
Set WSHShell = Nothing
WScript.Quit(0)

Homework: Copy each of these pieces into a .txt file naming it exploit.vbs and csexploit.vbs (do NOT leave a trailing .txt and make sure .txt is not hidden from you by the OS). Now, double click on exploit.vbs and you will a window informing you that your system will shut down in less than 120 seconds. Quickly, double click on csexpoit.vbs to make that window disappear and ofcourse abort the process. Cool huh?

Try e-mailing this (actually the exploit.vbs file as an attachment) to your friends titled "check this out" or sth and you'll be surprised to find out how many of them actually clicked the file and faced the penalty :P
Your chances will greatly increase if the receiver of this is some bored, I-dont-know-computers secretary. How do you think so many worms have spread? Did you know that the majority of them was written in vbs?

Now... I should inform you that I could just as easily find code that let's say collects passwords from IE history or copies MSN Messenger identities and logs and have all this info mailed to me as soon as you click the file. Or maybe automatically e-mail the code to everyone in your address book. You should also fear that there have been cases in which you don't have to double click on the file. I could have it executed using a buffer overlow exploit in your Windows system. How about that?

Goodnight everyone!

TSF Deployed at Lebanon

2006-08-13T21:50:00.000+03:00

A humanitarian group called Telecoms Sans Frontieres (TSF) is currently heading for Lebanon to establish emergency telecommunication infrastructure using satellite links, 802.11 nodes, laptops, faxes and mobile phones.

Deploying such wireless networks has been already tested and proved the best solution in such cases. The army and emergency response teams have been among the first to acquire such technology.

Who could argue now that WiFi is not reliable? In a country at war where all wired power and communication grids have been bombed, it seems that wireless communications will do the job.

I've already talked about this at Net Phones Services: Are We There Yet where I stressed out that Computer Network Phone Services could fully take over current wired models.

(debugging) XSS Locator

2006-08-08T02:21:00.000+03:00

XSS, as in Cross Site Scripting, is one hot topic. I've already talked about it in Slow Down! I'm gettin' Dizzy. It has to do with Javascript exploits allowing a malicious user to direct orders to the webserver hosting a site and using it to hide exploit code that will be downloaded by unsuspected visitors. If that sounds too much and impossible to happen, let me inform you that the exploited server may be hosting amazon or ebay or paypal or any other online store/service managing user information.

This is the code (I've replaced '<' and '>' with '#' as my WYSIWYG kept interpreting it. LOL. You shouldn't feel safe even while reading this blog.):

';alert(String.fromCharCode(88,83,83))//\';
alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//\";
alert(String.fromCharCode(88,83,83))//>#/SCRIPT#
!--#SCRIPT#alert(String.fromCharCode(88,83,83))#/SCRIPT#=&{}

What it does is show an alert box on your browser with the message "XSS". Of course if that shows up while you are trying this code in a third-party website, well... it shouldn't have and you've just discovered a vulnerable location!

If you watch carefully you'll see that it puts itself outside any quotes used to store it as a string. E.g. a script that prompts you with "What is your name?" and expects an answer is a good candidate for testing.

In Detail, let's say you have:

var a = prompt("What is your name?","");

After the user entry, variable 'a' will be (using only the first part of the code to make it easy for someone to notice):

var a = '';alert(String.fromCharCode(88,83,83))//';

As you can see the second quote (right before the first semicolon) closes the string and puts the entire code (after alert) outside the script (so it is runnable). Next, there are some more tricks to fool techniques like using a slash to init variable 'a' so that a single quote won't damage the string etc. Finally the #script#code#/script# does the trick :P

This is just a small demonstration. Imagive that this is too simple compared to other exploit codes. Also, imagive that the code doesn't just pop up an alert box but commands the browser running the script to dump passwords to an e-mail address or send a POST/GET command somewhere else (therefore acting as a bot) or ... or ... the possibilities are endless.

P.S.: The exploit code is presented as four lines while it really is just one. I've split them for indentation reasons only. If you want to try it, put it back together. No spaces.

(blogiseverything) The Story Behind These Company Names

2006-08-06T21:19:00.000+03:00

blogiseverything.com has a great article on the name origin for some of the top IT companies.

Did you know that Apache got its name from "A PAtCHy" due to the number of patches written and applied for NCSA's http daemon?

Or did you know that Hotmail was initialy written as "HoTMaiL" to promote the letters HTML, the scripted language used to write web pages?

Or even did you know that Oracle was the codename of a CIA (yes, spy stuff) project carried out by the company's founders?

Well, you'll find a lot of these including Intel, Adobe, Cisco, Google, Microsoft, Motorola, Red Hat, Xerox and Yahoo. You're just one click away :P

No Room Today

2006-08-06T20:30:00.000+03:00

Baltimore Sun has an exclusive story titled "NSA risking electrical overload". It basically says that the NSA HeadQuarters has problems when installing a new computer grid because of its needs in power. Baltimore's power grid is dangerously becoming insufficient for NSA's needs. The situation is fragile. As a result, they have elevated the building's temperature by two degrees in order to save electricity. I bet they also monitor big projects in the city like a new mall to make sure the grid doesn't fail under high demand. The implications of a power failure may be worse that those expected by the Y2K bug, according to a slashdot columnist. So what then? Build a Nuclear Plant? And in another 5 years? Build another one? And another one?

This has reminded me a talk with a collegue of mine about Google. He had said to me that the Google main facility was to its limits in terms of space. "They can't add any more computers in their grid". Of course there are Farms all around the globe caching and splitting the total load of requests but what these farms do is mirror the original grid in California. "They isn't any room left even for a tech guy to walk in there and change a burned CPU". It was amazing. He also claimed Google had an overheating problem. Too many machines in a limited space produce so much heat that the equipment itself is a risk. According to him, they had brought experts on air flow and cooling to come up with a solution. Bottomline, it is a deadlock. All computers must be in one place, one building, one room and there isn't any room left. They could start building a second huge facility but how whould they move out the computers? And how much would that take?

As you can see both NSA and Google face similar problems. Too many computers in one place. The first has power shortage problems, the second heat emission ones. This kind of facility has no future.

I am currently studying Distributed Computer Systems, that is having many computers working as one, sharing big loads of data and/or processing demands over a network. The systems don't have to be physicaly next to each other or in the same room, city, country or continent :P

You may have heard some big DCS projects like @Home (SETI, Folding, etc). These projects put to use the idle CPU time from millions of computers around the globe to examine data that would otherwise take years to produce results. They form huge supercomputers that will never fail (even if a computer or group of computers is down the grid will go on) and won't be limited by physical resources (space, power, air). A computer may be added to this grid at run time and may be as easily removed.

DCS is a thought out of the box. Maybe too smart for those corporate suites?

Anyhow, it's about time they change strategy and start planning right now and then, maybe in a decade or so, they'll make the transition. Else, they won't be able to stay on the feet.

Slow Down! I'm gettin' dizzy

2006-08-06T01:41:00.000+03:00

I was just reading some guy's blog on security. He was talking about JavaScript Malware and how one could not only collect so much info from a website visitor, running a malicious script, but also launch entire attacks entering DMZs and exploiting vulnerabilities deep inside a secure network.

I'm just beginning to learn javascript but I am able to understand that what this guy is talking about is possible. Like let's do it today possible. And it occured to me: forget the security experts, forget the guys in dirty jeans attending BlackHat or Defcon. How many internet users are aware of malicious javascripts? Or Cross Site Scritping? How many super-duper administrators?

Here's a simple example based on a scenario from the above blog. Some guy works as a low level programmer or tech support or sth. Nobody pays much attention to him. His job is as simple as writting Installers or changing backup tapes and ink cartridges. The company's network is secure with super firewalls, VLANs etc. That guy, while bored, enters a CSS vulnerable site let's say MySpace. The attacker has put there a script which is downloaded once the website loads. That's it! The employee didn't see anything strange happening. He continues surfing around while that malicious script is running in the background collecting information about his computer, the network topology, previous network destinations, cached information, passwords etc. That same script may contain exploit code targeting well protected, private network equipment. Boom! How about that?

It may have already happened. Even to you. Homework: Download noScript Extension for Firefox. And surf your favorite sites. Every time a javascript is about to run, noScript blocks it and informs you about it. You'll be surprised to find out how many scripts are running while you are casually visiting a forum or a news site.

All this has a point. 90% of the people I know feel threated by viruses on floppy disks or kidz trying to steal their credit card info. Such an illusion. Somebody may already have hijacked their PC to assemble a botnet and they'll still be running their Antivirus once a week scanning for boot sector viruses :P

Right now technology is a big vector. The majority of people are stuck at the tail and few are shapping things at the head. Unfortunately there's a huge gap in the middle.

This very moment vulnerabilities are being found, exploits are designed and by tomorrow these people will own the world. Can YOU keep up?

(Black Hat) Cloning E-Passports Accomplished

2006-08-03T17:45:00.000+03:00

A german computer security consultant has demonstrated the cloning of the electronic data from an E-Passport at the BlackHat convention, Las Vegas.

By the end of this year, many countries, including the U.S., Germany and Greece, will start issuing these Passports which contain an RFID (radio frequency ID) with the owners information on it. That way, they aim to make forgery a lot harder. Apparently they didn't do a great job planning this thing.

Wired News has published a very interesting article on the subject, which includes a demonstration by the guy who cracked it, Lukas Grunwald. In there, the reader will find out that the information on the chip is totally unencrypted (securely signed though) and therefore can be read and copied quite easily. Also, a worrying scenario states that an explosive device with an RFID sensor may identify a person by his E-Passport, while he is passing by, and activate. Finally, the author describes how a valid E-Passport could be overwritten so that let's say a known terrorist will go through border control uninterrupted.

You may also find an interesting video from Mahaffey and John Hering of Flexilis, security company, demonstrating the failure of the E-Passport's shielding system to prevent unauthorized scans of the RFID from malicious antennas.

I would like to quote something from the article:

Is this what the best and the brightest of the world could come up with? Or is this what happens when you do policy laundering and you get a bunch of bureaucrats making decisions about technologies they don't understand?

Which reminds me of my own blog entry titled "Exclude illiterate supervisors from e-Hierarchy?"

P.S.: Happy 3/8/6 (x86 day!)

x86 Days

2006-08-02T22:49:00.000+03:00

Somebody pointed out to me the obvious:
today, tomorrow and the day after will be 2/8/6, 3/8/6 and 4/8/6 like 286, 386 and 486. Cool!

Windows: Give up control for a little temporary utility?

2006-08-01T12:45:00.000+03:00

Microsoft Windows came into our lives introducing a revolutionary, user-friendly graphical user interface with the PC. From the start, Microsoft's goal was for every house to have a Windows PC. And they have succeeded in that using agressive marketing, disputed monopoly tactics, etc.

Right now, they (Microsoft) hold a huge piece of the pie and therefore great power. At first, user-friendly ment a mouse, nice colors and a few tooltips. After that, users didn't want their OS to crash (randomly) causing them to lose their unsaved work. So system stability and reliability came into play. Up to that point (let's say Windows 2000) users and Microsoft agreed on what the one side needed and what the other side was offering.

By the time Windows XP was on the market, something changed. Security. What had happened was that the home-OS had made its way in corporate networks interconnected to the Internet. So a few skilled people (hackers) found out several flaws that allowed them to siege control of these networks. Effects? Denial of Service, Lost Information, Leaked Information, Millions of Dollars in loss. While the home user wanted a plug and play system, the company employee demanded an invulnerable system.

So the situation was like this: an operating system with insufficient design for today's standards, problematic to the advanced user and a security risk for who had something to insure. This enforced a change of policy (or if you prefer, took user-friendliness to the next level).

While, up to this point, the user had been the absolute administrator of his system, now, the operating system took the role of protecting the system even from the user's actions if those posed hazard.

Today we hear about various Vista features such us scalable user rights (no more admin accounts available), something Unix had since the beginning, global undelete, abstraction layers for system control etc. All these things may be well-intended but take the keyboard out the user's hands. That's ok if you're just a beginniner and, for that matter, find tooltips and wizards very smart and helpful. But if you know what you want to do and how you want to do it, there's a great change Windows won't let you. So the OS keeps the system secure, right? Wrong! What it does is preserve the system its own way. There may be an attempt to secure it but when the first flaw comes up (there'll always be flaws in the software) you'll be helpless waiting for Microsoft to release a patch. That's not the way I want to work. That's not the way you want to work either. Patching an OS again and again makes it less reliable and much slower. It's not a rare thing for a patch to create a new bug in the system. And all that is done "transparently" through "smart abstraction" which don't "worry" me with technical information. Well maybe I want to be worried when it comes to my own PC. Maybe I want to be kept on alert if there's a reason to.

Would you buy a house with an unknown, invisible, integrated alarm system? So why would you buy an OS which acts the same way? What is more, you have payed pretty expensively for that piece of software!

Bottomline is: Windows was a great idea. Something has gone wrong with the implementation and action must be taked so that we have another version five years from now.

Caution: M$ W0rd Inc.

2006-07-20T07:42:00.000+03:00

Just another quick post on which I intend to write more stuff as soon as I am able to...

I've just read on lifehacker.com that research scientist Tristan Miller has pulished a "Please don't send me Microsoft Word documents" article.

What he does is point out the disadvantages of using the .doc format when exchaning documents over the internet. It sure is an interesting reading and has inspired me for another entry in this blog.

So, BRB!

Google finds me, therefore I exist.

2006-07-20T07:31:00.000+03:00

It's a funny thing these days how many ways are to digitally record (and broadcast) your life on the internet.

Personal web-sites, blogs, dating sites, upload-your-picture/video sites, etc.

Now, I have come across dandelife. It basically asks you to write down incidents of your life (when were you born, when did you first kiss a girl/boy, when did you graduate, when did you get your first job, etc.) and form a timeline publicly available to others. And that's not it. You may link this timeline to videos from YourTube and various information available on others sites representing the e-you.

This is very interesting but I don't have the time right now to expand.

I'll get back to it...

Net phone services. Are we there yet?

2006-07-15T18:40:00.000+03:00

Net phones is a new trend based on the VoIP (Voice over IP) technology. In a few words, the Internet (and any other ethernet network) is used to make and receive calls. That way, the traditional land lines are circumvented and your voice is encapsulated in IP packets travelling through your ISP's network.

At first, things were complicated since you needed a computer, a sound card and of course a headset (microphone, speakers). Lately, ordinary-looking telephone devices have appeared supporting VoIP. All you have to do is plug them in an ethernet network (like you have to plug your regular phone in the telephone network), pick up the receiver and dial the destination number.

Although all this sounds so great and has many advantages, it seems that the world is treating it like beta. Why?

BBC Technology News has an interested article on the subject. It points out the benefits such as low-cost international calls and ease of use but also presents as drawbacks the lack of efficient interconnection between VoIP providers, people's difficulty to adopt a new technology and the fact that such networks cannot substitute lands lines entirely.

First of all I too see the problem with many providers and no solid interconnection agreement. At the moment VoIP phones are used inside small networks (companies, wireless metropolitan networks, etc) with great success but, when it comes to placing a call between cities or countries, the current potentials are limited. That's quite sad because modern people demand a highly extended network when it comes to their communication.

Secondly, the so called "difficulty to adopt" really doesn't exist. The BBC article argues that you need a PC with multimedia capabilities to join a VoIP network. As I have already mentioned, this is not true. Making VoIP calls is as simple as picking up the phone. In my opinion, it is the fear against the unknown. And that fear exists in the absence of information. That information is not provided and will not be easily provided either since traditional land line providers will loose big if VoIP goes massive.

Finally, the argument that land lines cannot be substituted entirely is a false one. The main point of defence is that land lines work in case of a power failure or any other emergency situation. Who are we kidding? In 99% of emergencies the first things to crash are land line and cell phone networks.
On the other hand, the Internet (aka ARPAnet) was designed specifically to withstand catastrophic situations up to a nuclear disaster. Although in most cases there is only one backbone line for the telephone network, IP packets can be routed through many different paths providing highly viable communication networks. If there's one human achievement that will die last, that is the Internet. An international web of nodes linking one place with another in so many ways. Also, wifi networks (aka ethernet goes airborne) can be deployed within minutes after something unpredictable has happened and provide high-quality, reliable communications. The military (which has already designed the ARPAnet) is investing in such rapid-deployment wifi systems. And if the military relies on this technology when operating in the desert or in the jungle, wouldn't you rely on it at home?

In the end, Net phone services are the absolute champion and anyone who thinks otherwise is simply avoiding to look forward. So... stand by, we're almost there!

Exclude illiterate supervisors from e-Hierarchy?

2006-07-06T18:17:00.000+03:00

Slashdot.org reports that the FBI's Password Database has been compromised from the inside by an IT consultant. It goes on to say how he got hold of the Database hashed Passwords and, through a dictionary attack, acquired many passwords with high-level access including the director's, Robert Muller. You may read the whole story here.

This reminded me of a similar incident while I was working as an administrator at a Network Operations Center. A rootkit-infected PC was used to launch a dictionary attack and crack some domain passwords. One of them belonged to the director who had full administrative rights. The moment his account was compromised, the attacker could go anywhere inside our network and do anything. From sniffing more passwords and accessing further resources to bringing down key-elements of our infrastructure.

See the similarities? In both cases the director's password was compromised by a simple dictionary attack. That resulted in a horrible breach of security since the director has full access to everything. So... why would he protect a full access account with a dictionary word? Let's take things from the top.

In companies and organizations there's always the traditional hierarchy starting from interns to the head, the director. However, in the world of Information Technology, being at some level does not always mean you have more skills that another man below you. That's because IT people tend to hold low and medium level positions while high level are covered by Business Managers or given based on political criteria. Therefore it's a mixed system and seniority is a relative subject.

Unavoidably, many directors have little or no knowledge on computers moreover their security. Yet, traditional hierarchy states that they should hold the "keys" to the company aka admin passwords to everything.

So what we do is trust powerfull secrets to people with the IT background of a 5-year-old. As a result, the world's best security techniques and many millions of dollars won't be enough as long as there are such weak human factors.

Wouldn't it be more sane for the senior employee in the IT department to have full access to the internal network while non-IT personnel (including the head of the company) have only user access?

You try to do your job and secure and contain an internet-connected network with unsuspected employees clicking at every new e-mail worm or virus and at the same time critical decisions have to go through technology illiterate people who will never understand them.

To finish the story, let me say that our director (the one with full access to everything) used his username also as his password. The attacker(s), using domain administrative rights, planted rootkits to all other computers in our network (yeap, all Windows). As soon as we discovered the breach and found out how we had been compromised (ξενερώσαμε τίγκα), the director was notified. He didn't say anything. He didn't say a god damn thing! He remained silent, deep in his ignorance. His password was changed from, let's say, "myusername" to "myusername123". Great! The next couple of days I had to work overtimes to remove all malicious software from PCs, change critical passwords and upgrade our security. All I got was complains from employees for not letting them "do their jobs".

If you ask me, the people who are hired to provide IT support must have absolute authority on that subject. Otherwise their role is canceled and there is just an illusion of safety lying around.

Since the CEO of an automobile company does not interfere with the chief mechanic's decisions on engine design, why should the CEO of an IT company do so?

Returning to the FBI case, the IT consultant is facing charges while the director is not to be harmed. So the one man who pointed out the weakness will be punished while the idiot who left the door of the FBI unlocked will get to keep his chair.

Choose (and remember) great passwords.

2006-07-05T21:48:00.000+03:00

Just read a very interesting article at lifehacker.com on generating and remembering strong passwords.

Unfortunately there are too many secure services that rely their front-end on a secret user-defined word (aka password). And since the user is usually the weakest link in a secure protocol, the need for strong (difficult to guess) passwords is obvious. The problem is that difficult passwords are also difficul for users to remember so the vast majority chooses simplisity over security and use date of birth, favorite football team, etc instead. These words exist in dictionaries so what one has to do is test all words found in a dictionary and see if any is used as a secret word (dictionary attack). It is a fact that dictionary attacks have results and I've always wondered why people use a plain word like "book" or "door" to protect their online credit card account. Not too many years ago system administrators, in an attempt to feed their ego, had passwords like "god", "admin", etc. You can only imagive what level of security those words offered.

So read this and you'll have a good idea how to increase the security around your online activities.

P.S.: Personally I generate totally random passwords and memorize them. I don't know if it's because I am young or sth but somehow I manage to remember them all. That's not something I would recommend to others though.

(debugging) Out of the box programming.

2006-07-05T18:48:00.000+03:00

Today, following a link from hexblog.org, I read an interesting article on programming bugs.

First of all, check the following Java code (it's not that language specific - anyone can read it):

1:     public static int binarySearch(int[] a, int key) {
2:         int low = 0;
3:         int high = a.length - 1;
4:
5:         while (low <= high) {
6:             int mid = (low + high) / 2;
7:             int midVal = a[mid];
8:
9:             if (midVal < key)
10:                 low = mid + 1;
11:             else if (midVal > key)
12:                 high = mid - 1;
13:             else
14:                 return mid; // key found
15:         }
16:         return -(low + 1);  // key not found.
17:     }

This might look like code you've used at least once in your programming life. I know I've used similar code. It is a binary search algorithm. What is does is search for an integer (aka key) inside a table (aka a). The table must be sorted ofcourse. It finds the middle value in the table and if key is greater that it, searches in the upper middle of the table, else in the lower middle. Quite simple right? Yet, it holds a terrible bug. I call it terrible because it has to do with things programmers handle every day and consider common (and therefore safe to use): integer variables.

If by now you haven't found the bug, here it is:

6:             int mid =(low + high) / 2;

This will fail when the sum of low and high exceedes the maximum possible value with is (2^31)-1. Take a moment to think this... How many times have you used "int i;" and not consider the possible range of values it may hold?
I bet if you check your last programs you will find such a bug.

The most astonishing fact is that this very bug existed in an example in Chapter 5 of Programming Perls by Jon Bentley for nine years!

Ways of fixing this are:

6:             int mid = low + ((high - low) / 2);
6:             int mid = (low + high) >>> 1;
6:             mid = ((unsigned) (low + high)) >> 1;

Anyway, the article that hinted me writting all this also mentions ways of preventing such things reaching the market. One, nothing special - quite common and known to the public, is building test cases for your code so if something blows it will be contained, the program will terminate but not crash and of course leave a decent error message. Test cases are a funny thing. They can never be too many and have the detency of tripling the size of code and slowing down the program. Java has a good way of handling unexpected events: Exceptions. When something out of the ordinary happens, an exception is thrown. But what next? How you handle that exception is what matters. C and C++ don't have exceptions but that's not so important right now.

Nowadays an effort is made to constuct code testing tools but there are many problems towards that direction. What to do then?

In the middle of a software demanding market running at hundreds of miles, are we allowed to make a pit stop or concentrate and finish the race?

Programmers must be open-minded, equiped with radical vision and a small ego. A program must be designed to withstand a hurricane of unforseen events. Every day practices, taken for granted, must be tested and revised. A program is like a ship. It must control and contain its self. Otherwise, it may sink from a tiny leak.

Cambridge Breached the Great Firewall of China

2006-07-04T21:19:00.000+03:00

Cambridge academics claim to have breached the "great firewall" of China.

That firewall has been installed by the Chinese government to prevent inbound/outgoing access to "inappropriate" Internet locations by chinese users. What it did was filter every connection to and from the country for "bad" keywords. Once such a keyword was detected, the firewall forged a reset packet back to the source so that the connection was killed.

Of course that's pretty stupid because the firewall's strength relied on keeping this mechanism secret. Once it went public, workarounds came up and it was a matter of time before someone applied them to beat China's censorship. What one could do is ignore any reset packets (probably coming from the Firewall) and continue sending data packets. That would work just fine! Quite simple. :)

What is more, the Cambridge folks can perform DDoS attacks simply by adding "banned" keywords to connection requests to legitimate sites. If the Firewall sees such SYN packets it will block in/out connections to/from the target for a couple of minutes up to a couple of hours. And what if that "target" is a government or corporate site? There you have your DDoS attack!

To sum up, China panicked and tried keeping out "bad" content. I am a plain man but even I don't think that's possible in today's world. When you have the Internet (International Network) and the whole world is one planetary village, when information spreads around the globe in seconds, does any reasonable man think he can censor, block or manipulate free speech? Go ahead and have a try. China failed. Neeeext!

WinXP Trust Issues: In the land of the blind...

2006-07-04T17:07:00.000+03:00

... the one-eyed man is king.

I don't know about you but I like to take things into my own hands. Anonymity, Privacy, Authenticity.
Would you trust someone else with theses issues? Especially someone who has already been proved inefficient? Maybe yes if you are a rookie (aka blind) but as soon as someone explains you basic security issues you will immediately try to control the situation but Windows won't let you!

I've read today about "Windows Genuine Advantage Notifications" tool. M$ refers to it as an urgent security update while it simply is some code making your PC call back at M$ every time you boot and exchange information. The official story tries to assure us that no privacy rights are violated but many have reasons to doubt this (tests made and all). If this piece of code came from a different vendor do you know what it'd be called? Spyware! Yes, and it would be red flagged and removed. Of course there's already out a removeWGA tool.

This has brought to the foreground the question "Who really owns your computer? You or your software?". I have more than one computers (Desktop, Laptops) and have paid for Windows (98, XP) so that the programmers get their money etc. What do I get instead? A buggy software that made me get extra software for Antivirus, AntiSpyware and Firewall protection. So when I think I am safe from foreign malicious users I find out that I may be domestically compromised! Yes, the overpriced Operating System I've bought takes advantage of my ignorance (I am experienced but the OS is a blackbox -aka closed source-) and contacts its real owner (No it's not me, the guy who bought it), M$, supplying him with information about me and giving the chance to crackers to illegally access my PC despite all that extra protection I've bought (all that software trusts by default the OS). This whole thing looks more like a spy-tool used by the Intelligence Agencies than a home, innocent, user OS.

And just in case you didn't get all the above here's another example:
You buy a car, let's say a BMW, and then have to buy an alarm system, airbags, fire extinguisher, etc. But the car's design is such that an electric short circuit may disable your alarm, stop the airbags from opening at a critical time etc.
How would you feel about that?

Personally I feel deceived and trapped and therefore very angry.
To sum up M$ is one big μπουρδέλο.
They may underestimate me αλλά εγώ τους γαμώ το σπίτι.

I would be happy if I am on the Internet and have absolutely zero connections and listening ports when all my programs (Internet Browser, E-mail, IM, etc) are closed. But unfortunately that's not the case.

I want to receive exactly what I've paid for. But unfortunately that's not the case either.

e-Social Experiment Uncovered

2006-07-03T02:24:00.000+03:00

I've read a story of Slashdot.org titled "Mysterious Website Actually Social Experiment".

The codename was "eon8" and the entire story was revealed by its creator on July 1st. He maintained a website for a couple of months conducting a social experiment. Through the absence of information he tried to make conclusions about human behavior.

In detail, he posted incomplete and quite vague information that left a lot to the imagination. That's the key-word if you ask me. Also, he (or people affected by the experiment) made references to this website in various webforums. As a result a legend was born. Theories came to light every day. Everybody had a speculation of his own about this "eon8".

All the usual scenarios were deployed: Allien Invasion/Domination/Covert Infiltration, Government Conspiracy, World Wide Covert Organisation/Secret Alliance, The End of the World and many more. The majority of them ended with planet earth and its people being killed or enslaved or somehow harmed.

Of course none of the above was verified since under the mysterious bits and pieces of information there was nothing but an empty shell. A shell filled with fictions of their imagination.

So on July 1st Mr. Chris from Florida (age 23) went public with the results of his experiment stating that he is disappointed because most people's first reaction was to think of something terrible or harmful.

Personally I wouldn't be disappointed. Such behavior must be expected to a degree. No, I am not a pessimist (that's why I said "to a degree"). There's a problem with mankind. We don't know where we come from. We don't know were we are going. Some think they know or want to think they know just to keep their minds calm. So at the brink of the unknown we come up with the worst thing that can happen to us just to be prepared (at least mentally). For example if you are in a dark room and are afraid of spiders, you will start thinking of spiders and not to see one even if it's dark and you can't see anything! Other people fear that someone is hidden in that room and will grab them or that some animal or insect will attack them or ...
So, in the absence of information our mind prepares us for the worst. It is a hard-wired survival technique. It is fear. Only fools don't fear. So I am sorry Mr. Chris if my social behavior disappoints you but I'd rather fear for my life and in the end discover a hoax than make a wishlist and instead endanger my integrity. Lessons of Life 101.