Thursday, July 20, 2006

Caution: M$ W0rd Inc.

Just another quick post on which I intend to write more stuff as soon as I am able to...

I've just read on that research scientist Tristan Miller has pulished a "Please don't send me Microsoft Word documents" article.

What he does is point out the disadvantages of using the .doc format when exchaning documents over the internet. It sure is an interesting reading and has inspired me for another entry in this blog.

So, BRB!

Google finds me, therefore I exist.

It's a funny thing these days how many ways are to digitally record (and broadcast) your life on the internet.

Personal web-sites, blogs, dating sites, upload-your-picture/video sites, etc.

Now, I have come across dandelife. It basically asks you to write down incidents of your life (when were you born, when did you first kiss a girl/boy, when did you graduate, when did you get your first job, etc.) and form a timeline publicly available to others. And that's not it. You may link this timeline to videos from YourTube and various information available on others sites representing the e-you.

This is very interesting but I don't have the time right now to expand.

I'll get back to it...

Saturday, July 15, 2006

Net phone services. Are we there yet?

Net phones is a new trend based on the VoIP (Voice over IP) technology. In a few words, the Internet (and any other ethernet network) is used to make and receive calls. That way, the traditional land lines are circumvented and your voice is encapsulated in IP packets travelling through your ISP's network.

At first, things were complicated since you needed a computer, a sound card and of course a headset (microphone, speakers). Lately, ordinary-looking telephone devices have appeared supporting VoIP. All you have to do is plug them in an ethernet network (like you have to plug your regular phone in the telephone network), pick up the receiver and dial the destination number.

Although all this sounds so great and has many advantages, it seems that the world is treating it like beta. Why?

BBC Technology News has an interested article on the subject. It points out the benefits such as low-cost international calls and ease of use but also presents as drawbacks the lack of efficient interconnection between VoIP providers, people's difficulty to adopt a new technology and the fact that such networks cannot substitute lands lines entirely.

First of all I too see the problem with many providers and no solid interconnection agreement. At the moment VoIP phones are used inside small networks (companies, wireless metropolitan networks, etc) with great success but, when it comes to placing a call between cities or countries, the current potentials are limited. That's quite sad because modern people demand a highly extended network when it comes to their communication.

Secondly, the so called "difficulty to adopt" really doesn't exist. The BBC article argues that you need a PC with multimedia capabilities to join a VoIP network. As I have already mentioned, this is not true. Making VoIP calls is as simple as picking up the phone. In my opinion, it is the fear against the unknown. And that fear exists in the absence of information. That information is not provided and will not be easily provided either since traditional land line providers will loose big if VoIP goes massive.

Finally, the argument that land lines cannot be substituted entirely is a false one. The main point of defence is that land lines work in case of a power failure or any other emergency situation. Who are we kidding? In 99% of emergencies the first things to crash are land line and cell phone networks.
On the other hand, the Internet (aka ARPAnet) was designed specifically to withstand catastrophic situations up to a nuclear disaster. Although in most cases there is only one backbone line for the telephone network, IP packets can be routed through many different paths providing highly viable communication networks. If there's one human achievement that will die last, that is the Internet. An international web of nodes linking one place with another in so many ways. Also, wifi networks (aka ethernet goes airborne) can be deployed within minutes after something unpredictable has happened and provide high-quality, reliable communications. The military (which has already designed the ARPAnet) is investing in such rapid-deployment wifi systems. And if the military relies on this technology when operating in the desert or in the jungle, wouldn't you rely on it at home?

In the end, Net phone services are the absolute champion and anyone who thinks otherwise is simply avoiding to look forward. So... stand by, we're almost there!

Thursday, July 06, 2006

Exclude illiterate supervisors from e-Hierarchy? reports that the FBI's Password Database has been compromised from the inside by an IT consultant. It goes on to say how he got hold of the Database hashed Passwords and, through a dictionary attack, acquired many passwords with high-level access including the director's, Robert Muller. You may read the whole story here.

This reminded me of a similar incident while I was working as an administrator at a Network Operations Center. A rootkit-infected PC was used to launch a dictionary attack and crack some domain passwords. One of them belonged to the director who had full administrative rights. The moment his account was compromised, the attacker could go anywhere inside our network and do anything. From sniffing more passwords and accessing further resources to bringing down key-elements of our infrastructure.

See the similarities? In both cases the director's password was compromised by a simple dictionary attack. That resulted in a horrible breach of security since the director has full access to everything. So... why would he protect a full access account with a dictionary word? Let's take things from the top.

In companies and organizations there's always the traditional hierarchy starting from interns to the head, the director. However, in the world of Information Technology, being at some level does not always mean you have more skills that another man below you. That's because IT people tend to hold low and medium level positions while high level are covered by Business Managers or given based on political criteria. Therefore it's a mixed system and seniority is a relative subject.

Unavoidably, many directors have little or no knowledge on computers moreover their security. Yet, traditional hierarchy states that they should hold the "keys" to the company aka admin passwords to everything.

So what we do is trust powerfull secrets to people with the IT background of a 5-year-old. As a result, the world's best security techniques and many millions of dollars won't be enough as long as there are such weak human factors.

Wouldn't it be more sane for the senior employee in the IT department to have full access to the internal network while non-IT personnel (including the head of the company) have only user access?

You try to do your job and secure and contain an internet-connected network with unsuspected employees clicking at every new e-mail worm or virus and at the same time critical decisions have to go through technology illiterate people who will never understand them.

To finish the story, let me say that our director (the one with full access to everything) used his username also as his password. The attacker(s), using domain administrative rights, planted rootkits to all other computers in our network (yeap, all Windows). As soon as we discovered the breach and found out how we had been compromised (ξενερώσαμε τίγκα), the director was notified. He didn't say anything. He didn't say a god damn thing! He remained silent, deep in his ignorance. His password was changed from, let's say, "myusername" to "myusername123". Great! The next couple of days I had to work overtimes to remove all malicious software from PCs, change critical passwords and upgrade our security. All I got was complains from employees for not letting them "do their jobs".

If you ask me, the people who are hired to provide IT support must have absolute authority on that subject. Otherwise their role is canceled and there is just an illusion of safety lying around.

Since the CEO of an automobile company does not interfere with the chief mechanic's decisions on engine design, why should the CEO of an IT company do so?

Returning to the FBI case, the IT consultant is facing charges while the director is not to be harmed. So the one man who pointed out the weakness will be punished while the idiot who left the door of the FBI unlocked will get to keep his chair.

Wednesday, July 05, 2006

Choose (and remember) great passwords.

Just read a very interesting article at on generating and remembering strong passwords.

Unfortunately there are too many secure services that rely their front-end on a secret user-defined word (aka password). And since the user is usually the weakest link in a secure protocol, the need for strong (difficult to guess) passwords is obvious. The problem is that difficult passwords are also difficul for users to remember so the vast majority chooses simplisity over security and use date of birth, favorite football team, etc instead. These words exist in dictionaries so what one has to do is test all words found in a dictionary and see if any is used as a secret word (dictionary attack). It is a fact that dictionary attacks have results and I've always wondered why people use a plain word like "book" or "door" to protect their online credit card account. Not too many years ago system administrators, in an attempt to feed their ego, had passwords like "god", "admin", etc. You can only imagive what level of security those words offered.

So read this and you'll have a good idea how to increase the security around your online activities.

P.S.: Personally I generate totally random passwords and memorize them. I don't know if it's because I am young or sth but somehow I manage to remember them all. That's not something I would recommend to others though.

(debugging) Out of the box programming.

Today, following a link from, I read an interesting article on programming bugs.

First of all, check the following Java code (it's not that language specific - anyone can read it):
1:     public static int binarySearch(int[] a, int key) {
2: int low = 0;
3: int high = a.length - 1;
5: while (low <= high) {
6: int mid = (low + high) / 2;
7: int midVal = a[mid];
9: if (midVal < key)
10: low = mid + 1;
11: else if (midVal > key)
12: high = mid - 1;
13: else
14: return mid; // key found
15: }
16: return -(low + 1); // key not found.
17: }
This might look like code you've used at least once in your programming life. I know I've used similar code. It is a binary search algorithm. What is does is search for an integer (aka key) inside a table (aka a). The table must be sorted ofcourse. It finds the middle value in the table and if key is greater that it, searches in the upper middle of the table, else in the lower middle. Quite simple right? Yet, it holds a terrible bug. I call it terrible because it has to do with things programmers handle every day and consider common (and therefore safe to use): integer variables.

If by now you haven't found the bug, here it is:
6: int mid =(low + high) / 2;
This will fail when the sum of low and high exceedes the maximum possible value with is (2^31)-1. Take a moment to think this... How many times have you used "int i;" and not consider the possible range of values it may hold?
I bet if you check your last programs you will find such a bug.

The most astonishing fact is that this very bug existed in an example in Chapter 5 of Programming Perls by Jon Bentley for nine years!

Ways of fixing this are:
6:             int mid = low + ((high - low) / 2);
6: int mid = (low + high) >>> 1;
6: mid = ((unsigned) (low + high)) >> 1;

Anyway, the article that hinted me writting all this also mentions ways of preventing such things reaching the market. One, nothing special - quite common and known to the public, is building test cases for your code so if something blows it will be contained, the program will terminate but not crash and of course leave a decent error message. Test cases are a funny thing. They can never be too many and have the detency of tripling the size of code and slowing down the program. Java has a good way of handling unexpected events: Exceptions. When something out of the ordinary happens, an exception is thrown. But what next? How you handle that exception is what matters. C and C++ don't have exceptions but that's not so important right now.

Nowadays an effort is made to constuct code testing tools but there are many problems towards that direction. What to do then?

In the middle of a software demanding market running at hundreds of miles, are we allowed to make a pit stop or concentrate and finish the race?

Programmers must be open-minded, equiped with radical vision and a small ego. A program must be designed to withstand a hurricane of unforseen events. Every day practices, taken for granted, must be tested and revised. A program is like a ship. It must control and contain its self. Otherwise, it may sink from a tiny leak.

Tuesday, July 04, 2006

Cambridge Breached the Great Firewall of China

Cambridge academics claim to have breached the "great firewall" of China.

That firewall has been installed by the Chinese government to prevent inbound/outgoing access to "inappropriate" Internet locations by chinese users. What it did was filter every connection to and from the country for "bad" keywords. Once such a keyword was detected, the firewall forged a reset packet back to the source so that the connection was killed.

Of course that's pretty stupid because the firewall's strength relied on keeping this mechanism secret. Once it went public, workarounds came up and it was a matter of time before someone applied them to beat China's censorship. What one could do is ignore any reset packets (probably coming from the Firewall) and continue sending data packets. That would work just fine! Quite simple. :)

What is more, the Cambridge folks can perform DDoS attacks simply by adding "banned" keywords to connection requests to legitimate sites. If the Firewall sees such SYN packets it will block in/out connections to/from the target for a couple of minutes up to a couple of hours. And what if that "target" is a government or corporate site? There you have your DDoS attack!

To sum up, China panicked and tried keeping out "bad" content. I am a plain man but even I don't think that's possible in today's world. When you have the Internet (International Network) and the whole world is one planetary village, when information spreads around the globe in seconds, does any reasonable man think he can censor, block or manipulate free speech? Go ahead and have a try. China failed. Neeeext!

WinXP Trust Issues: In the land of the blind...

... the one-eyed man is king.

I don't know about you but I like to take things into my own hands. Anonymity, Privacy, Authenticity.
Would you trust someone else with theses issues? Especially someone who has already been proved inefficient? Maybe yes if you are a rookie (aka blind) but as soon as someone explains you basic security issues you will immediately try to control the situation but Windows won't let you!

I've read today about "Windows Genuine Advantage Notifications" tool. M$ refers to it as an urgent security update while it simply is some code making your PC call back at M$ every time you boot and exchange information. The official story tries to assure us that no privacy rights are violated but many have reasons to doubt this (tests made and all). If this piece of code came from a different vendor do you know what it'd be called? Spyware! Yes, and it would be red flagged and removed. Of course there's already out a removeWGA tool.

This has brought to the foreground the question "Who really owns your computer? You or your software?". I have more than one computers (Desktop, Laptops) and have paid for Windows (98, XP) so that the programmers get their money etc. What do I get instead? A buggy software that made me get extra software for Antivirus, AntiSpyware and Firewall protection. So when I think I am safe from foreign malicious users I find out that I may be domestically compromised! Yes, the overpriced Operating System I've bought takes advantage of my ignorance (I am experienced but the OS is a blackbox -aka closed source-) and contacts its real owner (No it's not me, the guy who bought it), M$, supplying him with information about me and giving the chance to crackers to illegally access my PC despite all that extra protection I've bought (all that software trusts by default the OS). This whole thing looks more like a spy-tool used by the Intelligence Agencies than a home, innocent, user OS.

And just in case you didn't get all the above here's another example:
You buy a car, let's say a BMW, and then have to buy an alarm system, airbags, fire extinguisher, etc. But the car's design is such that an electric short circuit may disable your alarm, stop the airbags from opening at a critical time etc.
How would you feel about that?

Personally I feel deceived and trapped and therefore very angry.

To sum up M$ is one big μπουρδέλο.
They may underestimate me αλλά εγώ τους γαμώ το σπίτι.

I would be happy if I am on the Internet and have absolutely zero connections and listening ports when all my programs (Internet Browser, E-mail, IM, etc) are closed. But unfortunately that's not the case.

I want to receive exactly what I've paid for. But unfortunately that's not the case either.

Monday, July 03, 2006

e-Social Experiment Uncovered

I've read a story of titled "Mysterious Website Actually Social Experiment".

The codename was "eon8" and the entire story was revealed by its creator on July 1st. He maintained a website for a couple of months conducting a social experiment. Through the absence of information he tried to make conclusions about human behavior.

In detail, he posted incomplete and quite vague information that left a lot to the imagination. That's the key-word if you ask me. Also, he (or people affected by the experiment) made references to this website in various webforums. As a result a legend was born. Theories came to light every day. Everybody had a speculation of his own about this "eon8".

All the usual scenarios were deployed: Allien Invasion/Domination/Covert Infiltration, Government Conspiracy, World Wide Covert Organisation/Secret Alliance, The End of the World and many more. The majority of them ended with planet earth and its people being killed or enslaved or somehow harmed.

Of course none of the above was verified since under the mysterious bits and pieces of information there was nothing but an empty shell. A shell filled with fictions of their imagination.

So on July 1st Mr. Chris from Florida (age 23) went public with the results of his experiment stating that he is disappointed because most people's first reaction was to think of something terrible or harmful.

Personally I wouldn't be disappointed. Such behavior must be expected to a degree. No, I am not a pessimist (that's why I said "to a degree"). There's a problem with mankind. We don't know where we come from. We don't know were we are going. Some think they know or want to think they know just to keep their minds calm. So at the brink of the unknown we come up with the worst thing that can happen to us just to be prepared (at least mentally). For example if you are in a dark room and are afraid of spiders, you will start thinking of spiders and not to see one even if it's dark and you can't see anything! Other people fear that someone is hidden in that room and will grab them or that some animal or insect will attack them or ...
So, in the absence of information our mind prepares us for the worst. It is a hard-wired survival technique. It is fear. Only fools don't fear. So I am sorry Mr. Chris if my social behavior disappoints you but I'd rather fear for my life and in the end discover a hoax than make a wishlist and instead endanger my integrity. Lessons of Life 101.