Pages

Tuesday, December 28, 2010

Android phone rocks

Recently I upgraded my worn Blackberry Curve to a new Samsung Captivate from AT&T.  Here are a list of positives and negatives based on my initial use.

The Good
  1. Android rocks.  I can't wait for 3.0
  2. No iTunes to synch with!  (I hate iTunes)
  3. Brighter than my Wife's iPhone.

The Bad
  1. I respect the Samsung design aesthetic, but the smooth symmetric thing is taken too far.
    1. The menu, home, return and search buttons should have some sort of raised nipple like the home keys on your keyboard to let you know that your finger is placed correctly.
    2. Because of the symmetric look of the phone across the vertical axis, I find that half the time I am holding the phone upside down.  With my black berry I could position the phone for use without looking.
    3. The buttons for the ringer volume end up being placed in the wrong position for horizontal usage. I find my finders accidentally pressing them as I use the application.
  2. Tasks don't shutdown automatically, so I have to use ATK to zap 'em.
  3. If I don't use ATK then the battery gets drained fairly quickly.
 The Ugly
  1. AT&T bloatware that I will never use, that cannot be removed. uggghh.  
I am very impressed by this phone.  I think it was a steal through Target Mobile.  I got mine for $49 when the AT&T store had it online for $199.  I can't wait to dive deeper in to the app store and see what goodies are waiting.

Tuesday, December 21, 2010

Java Mutithread my I/O

So the age of the multicore cpu has been here awhile.  Many tech pundits had always predicted that the software would have to change dramatically to utilize the extra cores.  Now that we have them what are we waiting for? 

On my Java Christmas wish list is a class similar to GZIPInputStream that would handle files compressed by pigz. Not really sure that a replacement of GZIPInputStream is in order since obviously it is designed to read from FileInputStream. Perhaps FileInputStream needs to be altered to be multithreaded.  Or perhaps a new PIGZInputStream that can directly read from the file instead of the FileInputStream is in order. 

Understand that I am not looking for max improvement on multicore PC. With it's single drive the heads would do more seeking then the single threaded implementation of GZIPInputStream. What I want is the ability to use multiple threads to access a file striped across multiple drives.  So when I apply this to a server environment, then each thread would end up directing each disk to get it's particular portion of the file.

More than likely what I will get out of Oracle will be a big lump of single threaded coal.  But we can wish can't we?

Tuesday, December 14, 2010

Smart Phones make stupid users

My son lost his phone (Samsung) the other day and when found it had been stepped on and snowed on.  Big bummer.  Oh well, these things happen.  What he seemed to be concerned more about was the loss of his contact list.  We extracted the micro sd card from the new phone and dropped it in his old blackberry and got nothing.  My guess was that broken phone saved it in a format that the new phone could not read...   Any ideas?

Anyway we got to discussing how the rise of smart phones means that most users will rely on the contact list to call and text people they need to communicate with.  Really smart phones make stupid users.  Just think if I told you that all the DNS servers were down and that you could surf the web but you would have to type in the IP addresses to get there.  Some of us could probably get to one or two sites but after that it's a shot in the dark.

As we use more technology we get more dependent. At some point that dependency comes back to bite.

Tuesday, November 23, 2010

I can refudiate that!

In the Palin/Shakespearean tradition, I have created a word that I believe the world will embrace.

It is a mashup of two words, positive and supportive.  Put them together and you have SUPPOSITIVE!  Example - My parents have a suppositive view of my study of under water basket weaving.

Why don't you sit on that and think about it for awhile.    ;-)

Monday, November 22, 2010

Will streaming kill the DVD?

So Netflix just announced an all streaming plan for their service. (Congratulations Netflix you have finally earned your moniker.)   But will the mail service go the way of the buggy whip?  In my estimation this will not happen until you can get ubiquitous wireless net service at high enough speeds to allow streaming anywhere.  Right now this is not a reality.  Consider the family trip.  It would be great to stream those vids for the kids in the backseat.  But how?  What about that cabin in the mountains that does not have wired service?  Satellite may be available but line of sight may be blocked.  How about watching a movie on a boat a couple miles off shore?  Until a user can get high speed wireless access in all these locations you really won't see an end to the Mail order movie business model.

Tuesday, September 28, 2010

How to withdraw Money from an ATM

This is an excellent video to watch to learn the capabilities of ATM scammers.

http://www.youtube.com/watch?v=JbDdsUh_sTg&feature=player_embedded

Shows you how to protect your self from getting your PIN stolen.  Not all PINs are shoulder surfed!

Thursday, August 26, 2010

ATT Here comes the flood! Sink or Swim!

http://www.wired.com/epicenter/2010/08/first-look-netflix-for-the-iphone-arrives-and-does-not-disappoint/all/1

So Netflix has released the Netflix for iPhone app. Apple approved it. If you read between the lines Apple is validating that streaming video to the iPhone should be available. Since the ATT data plan is $15 for 200MB and $25 for 2GB this almost tells you that Apple is shopping carrier(s) that will allow this device/app combination to blossom. It won't do it with Edge for sure. What's ATT's angle? Just think about what they get to charge when unaware users download this app and stream 12 or so movies in the first month. 12 movies is almost 4.8GB. But if you look in the fine print you'll discover that for the DataPro package overage is charged at a rate of $10 per extra GB. So this would cost you about $20. However, at the cheap plan overage is charged at $15 per 200 MB over. So getting my calc out (and I will need my calc for this one) we see that poor subscriber will get a bill for ding! ding! ding! $345. If anyone had any idea that the Netflix app was coming to drive ATT's bottom line for the next quarter raise your hand!

Tuesday, August 10, 2010

Apple is losing it again.

Apple is making the same mistakes it did in the PC / Mac wars of the 90s. They have created a closed system because they want to own the whole system. This is similar to the early 90s when the Mac was being pushed. Apple never wanted outside developers to contribute and thus never published any Application Programming Interfaces. Microsoft went the opposite path and said "You want to develop for our platform? Sure that would be great!" MS provided extensive programming libraries and insight into the depths of windows... Look what happened. The PC took the prize.

Again Apple has created this great product, full of features and value, but they want to keep the system closed. Not only are developers forced to get approval for an iPhone app, but Apple has placed all all eggs in one basket with the exclusive contract with ATT. Verizon and other carrier's customers are chomping at the bit to get that kind of technology but don't want to switch providers. Enter Android. By maintaining the exclusive contract it made customers of the other providers look for an alternative solution. Now this solution has a bigger share than the iPhone. Allowing other providers to sell the Phone won't help now, it's too late. The consumer already has a taste of Android and it wants more.

All I can say is Steve, what were you thinking???

Monday, August 2, 2010

Other ways to send a payment

It seems that alternatives to the current expensive credit and debit transaction systems are evolving http://www.reuters.com/article/idUSTRE6710IH20100802.

The arrival of paypal, and iTunes suggests that companies are looking for a better faster cheaper way to let the money flow.

I have always said that the Phone company billing system is remarkably capable in being able to charge for essentially a micro-transaction (under $.10). Since the cell phone is an extension of the phone company billing system it seems logical that I should be able to send a payment from your phone to mine without having my bank contact your bank and settling the details…

Tuesday, July 27, 2010

Jailbreak and jailbroke

http://www.foxnews.com/scitech/2010/07/27/apple-responds-iphone-jailbreaking-decision/

The Government rewrote the rules a bit with this ruling. Apple has said they will not service your phone if they find it has been jailbroken. How much do you want to bet that the next move by Apple will be similar to what Motorola did with the eFuse technology.

http://phandroid.com/2010/07/16/motorola-responds-to-efuse-and-bootloader-talk-doesnt-brick-but-still-just-as-useless/

Net effect is that the government may have opened up the ability to do this, but it is not going to be selectable for common users because they don't have the tech ability and don't want to brick the phone.

Will a move like this cause prospective iPhone users to go Android? Not likely since the technique will probably flourish on both sides of the market.

Tuesday, July 20, 2010

An incredible feat of exploration and technology

July 20, 1969



A race between two superpowers locked in mutual distrust. The age of technology had begun. Man made a small jump from his home to a new world. I am of course talking about man landing on the moon.


Consider this impressiveness of this feat. Computers were the size of your living room. Communications technology had not yet spawned cell phones or GPS. The precursor networks to the internet were about to be created. No email. No computer aided design stations. No Excel spreadsheets to calculate numbers. Radar had just been invented 29 yrs previous. Air flight was only 66 years old.



What drove it was determined men and women. Astronauts who had the cojones to climb on top of a skyscraper filled with liquid explosive and trust the designers and craftsmen had done their job right. Each rocket was designed with drafting boards and t squares. Calculations were performed with slide rules. No battery powered lithium tools. Each space vehicle was hand crafted, tested and retested until it exceeded the spec.



This point in time was the nexus of our world, politically, spiritually, technologically. It drove the optimism of the USA. We were first. At the time, it was all about chest thumping and propaganda for the cold war.  Now looking back, think of the dividends that this effort has paid. Most of our modern technology has roots in the race to the moon. What a boon for all mankind.


My hat is off to anyone that contributed in this effort. It was an amazing feat and will continue to be unequaled until we strike out for Mars. What would the effect from that trip be?


Thursday, July 1, 2010

Login protection from Google

In response to the high profile hacking cases arriving from Chinese ip ranges into dissident and other email accounts, Google has come up with an excellent way to combat this.

http://arstechnica.com/tech-policy/news/2010/06/suspicious-login-protection-extended-to-all-google-accounts.ars

This allows you to understand the locations that have logged in to your email account. An excellent way to understand if you have been compromised... Other web email providers should follow suite as soon as possible.

Monday, June 28, 2010

This IS the best of the Internet

This man will leave a lasting legacy of educated people.


http://www.khanacademy.org/


This is absolutely the BEST of the Internet.

Wednesday, June 16, 2010

ATT triple FAIL!

Your iPad email addresses are showing

First we find out that 114,000 emails got exposed by AT & T. No big deal right? Wrong.

http://www.dailytech.com/ATT+Accidentally+Shares+114000+iPad+3G+Buyers+Email+Addresses/article18670.htm

Using the email and the sim card ICC-ID this analyst seems to think this gives you global tracking ability down to the cell level on these users.

http://arstechnica.com/security/news/2010/06/atts-ipad-security-breach-could-be-worse-than-initially-thought.ars


Once you can track them to a cell you can use the IMSI to spoof the phone to get email, calls etc.

I want my iPhone!

I used to work for SBC on their website and thought that some of the people were pretty much unskilled warm bodies cashing a paycheck. Evidently these bodies did produce something... the preorder system for the iPhone.

http://gizmodo.com/5564913/proof-iphone-4-pre+orders-using-other-peoples-credit-cards-shipping-info

My father always said that when you are doing business you can't make people stand in line to give you money. Evidentially this was lost on AT & T. I don't blame Apple. I'm sure their order fulfillment is using crufty data supplied by an under engineered, under tested database.

Service with a smile! Not!

Apparently Randy Stephenson does not like answering the email of average joes...

http://gizmodo.com/5554695/email-atts-ceo-get-threatened-with-legal-action

Personally I find this attitude appalling. Here was an opportunity to hand over an email to a CSR and make a customer happy. Instead you lose that customer and others for life.

Kind of reminds you of this guy...

http://voices.washingtonpost.com/right-now/2010/06/bob_etheridge_the_morning_afte.html

Conclusion

Apple run to Verizon as fast as you can!

Tuesday, June 15, 2010

Driving Directions 100 pecent of the time - 100 percent of the time

I have had the opportunity to code a locator application using the Google Maps API. As our locator has evolved we look for ways to refactor and produce a higher quality product. This is a traditional locator, the user provides the center point for the search and then using our data we plot the locations around that center point.

The application had problems with providing driving directions in consistent manner. This mainly presented itself when the user entered an incomplete address. Providing a zip code or a just a city name will plot a point on that feature's centroid. This type of address was sometimes incompatible with the the GDirections object. Many times this would return a status code of 602. Other times it would work correctly. So what to do?

Digging deeper into the GDirections object it appears that it will take addresses or lat long pairs or a combination of both. We experimented with supplying lat long pairs for the start and end points in Google Maps. We were viewing a rural area and right clicked in the middle of a field to select directions from here. When the directions plotted it used the closest road as the start point. Eureka!

So then the application was rewritten to utilize only geographic points for plotting driving directions. But this did not work as well as we had hoped. Directions generated via this method do not have a fully formed address as the origin or destination in the directions listing. Instead of '123 Main St.' The origin would be listed as just 'Main St.'. The marker is plotted exactly where we want it, however, the user is just not informed of the destination address.

So it appears that a hybrid approach will solve the problem of the 602 errors. We will structure our code to attempt to use the incomplete addresses and if that does not work we will drop back to just using the the geographic points. To see how this works let's take a look at the code snippet below. ( ${variable_name} indicates an injection point from the jsp )

function initDirections() {
   directionsMap = new GMap2(document.getElementById("drivingMap"));    
   // try to use addresses.    
   var startAddress = '${spAddress}';
   var endAddress   = '${epAddress}';
             
   addressDirections = new GDirections(directionsMap,  document.getElementById('drivingDetails'));
   GEvent.addListener(addressDirections, "error", initLatLongDirections);
   addressDirections.load("from: ${spAddress} to: ${epAddress}", {travelMode:G_TRAVEL_MODE_DRIVING});    
}

function initLatLongDirections() {
   //alert("dropping to latlong becuase of error" + status); 
   var status = addressDirections.getStatus().code;
   if ( addressDirections.getStatus().code != 200 )
   {     
      var startLatLng = new GLatLng( '${spLatitude}', '${spLongitude}' );
      var endLatLng = new GLatLng( '${epLatitude}', '${epLongitude}' );
          
      latlongDirections = new GDirections(directionsMap, document.getElementById('drivingDetails'));
      GEvent.addListener(latlongDirections, "error", onDirectionsError);
      latlongDirections.load("from: ${spLatitude}, ${spLongitude} to: ${epLatitude}, ${epLongitude}", {travelMode:G_TRAVEL_MODE_DRIVING});     
   }    
}
   
function onDirectionsError(mode) {
   var status = latlongDirections.getStatus().code;
   if (status != 200) 
   {          

      document.getElementById("directionsGenerated").value = 'false';
      document.getElementById("mapDisplayStatus").value = 'error';
      document.getElementById("termSearchDisplay").style.display = '';
      document.getElementById("termSearchAddress").style.display = '';
      document.getElementById("errorMapDisplayText").style.display = '';
      document.getElementById("mapHeader").style.display ='none';
      document.getElementById("mapDetail").style.display='none';
          
   } 
}


Notice that we define an event handler for the first attempt at getting directions, however, we really don't use it to display an error. We pass a function pointer to initLatLongDirections() to attempt to resolve the directions using the this function. Within this function we create a new event handler that points the actual error function.

Friday, June 11, 2010

Theres an app for that

Cruise missile guidance... Think about it. The new iPhone is perfect as a guidance system for a cruise missile - GPS, attitude gyros for positioning, heck, you could even pipe the camera images back to Centcom so they could get the kill video as it drove right through the door. Don't try to tell me that the GPS signal comes through a cell tower and that there are no cell towers on the ocean... uh-uh. Ever notice that your location is available even when you don't have a connection? For more info see http://arstechnica.com/apple/news/2008/10/using-the-iphones-gps-without-a-network-connection.ars


What cost the government millions to develop in the 1960s / 70s can now be yours for $200 and a 2 year contract.

Wednesday, June 2, 2010

Lego printer

I think most engineers played with Lego, Erector, or Tinker Toys as they grew up.  This beats the crap out of any Mindstorm kit from Lego.




I love the little worker that makes the pen go up and down!

Saturday, May 15, 2010

Captcha thoughts

So I have just had to implement a captcha protecting a email function of a site I am working on.  I'm a bit disillusioned by the options I found.  After some research I discovered pretty much what I suspected - captcha is getting beat. The first gen captchas were the equivalent of the Army private shouting "Halt who goes there, Friend or Foe?"  Well duh, what would you answer?  If you are either Friend or Foe you are going to answer the same thing. OCR techniques, session hijacking, and mechanical turks are quickly making child's play of breaking these first generation captchas.  For the purpose of this entry I am going to add my additional requirement that I need a captcha that can be used internationally.  This means I can't just spit out the same English characters for a user in Greece.  Their keyboard just won't be able to allow them to enter the proper characters.

So what to do?  There are other alternatives.  Kitten auth lets you select all the kittens.  Carnegie Mellon the originators of captcha are trying some new techniques.  Most have to do with image identification.  Many will not fulfill the international requirement I have. I believe there has to be a way to enhance the current captcha techniques and still make the captcha easy for a human to fulfill and hard for a script to complete. 

Let's break the capthca down into it's parts.  The first part is the Directive.  The directive tells the user what to do.  The first gen Captcha had a pretty stupid directive, (type all the characters). The next level of Captcha will need to ask the user to do a bit more.

The second part of the captcha is set of data that the user must apply the directive to.

The last part of the captcha is a location for the user to enter and submit the response.

So let's noodle on this a bit.  Most characters are out because they are language specific.  The only characters that seem to cross cultural lines are... numbers. Hmmm... So we need to create a captcha that allows users to input numbers as the answer to our directive.

The problem goes deeper than just challenging the user to input a distorted string of numbers.  Taking a queue from the web security world lets apply the concept of defense in depth.  Let's force the cracking script to do as much work as possible for the following tasks:
  • Understanding the directive.
  • Understanding the datasets for the response.
  • Entering and sending the proper response.
Lets take a look at how each of these can be used to confuse a captcha script.

Understanding the directive

The 1st gen captcha has an unchanging and unimaginative directive... "What are these letters, please enter them"  What if our new captcha asks better, smarter questions?  This is another variable that can be inserted to cause the script to use more cycles.  If you are prompted "Please type the second, 5th and 3rd numbers from the picture below".  This is a fairly simple sentence for a human to understand, yet for a script it will have to do some guessing to get it right.  Why not render the question as a picture as well?  Distort the words, drop letters and use different colors would allow a multitude of possibilities for the captcha script to choke down before even attempting to evaluate the list of responses.  Many different classes of directive questions could be created about a grouping of numbers.  For instance:
  • Enter the striped characters in order from right to left
  • Please type the second, 5th and 6th numbers starting from the right..
  • What two numbers are inside other numbers?
  • List all numbers that touch the striped number
  • etc.
Many different directives that are thoroughly difficult for a script to figure out can be presented. 

Understanding the choices for the response

It could also be possible show two or three sets of numbers and in your directive, tell the user to the proper set of numbers to use.  The script would have to break the question with OCR, understand that you wanted to use the 3rd set, or the top set or the red letters to evaluate a very simple problem like type them in reverse order.  The program could also render multiple results sets but use css to hide all but the one the user should utilize.  Trying to process 10 - 20 images of distorted numbers could send that script into a fit.

Properly designed, this directive could be very difficult for anything but a human to solve it.   

Sending the response

The same rules for current captchas apply.  Enforcing one time use, setting a time limit on the service you are protecting are good techniques.  You should also utilize css to hide multiple input fields for the answer.  The user will only see one field but the script can see multiple. If a value or the wrong value shows up in the hidden field then you know it was provided by a script.  CSS could be used to hide 20 or thirty response fields, or you could just position the decoy fields under the real input.

Taxing the captcha cracker

So as we build a captcha engine we can utilize a different directive that has to be interpreted before it can be applied against the set of data.  Now instead of just running OCR libraries against the script will have to infer the meaning of the directive against the dataset to provide the proper response.  If this is done correctly this is a much harder problem to solve than the 1st gen 'Type the characters you see"

Friday, May 7, 2010

It shipped!

http://www.dinersclubcash.com/locator/search.html is the latest version of the project I have been working on for 8 months.

Now with 32 languages! 

Thursday, May 6, 2010

Top 10 Technolgical achivements for the last 150 years

10. Creation of the transistor
9. The Atom Bomb
8. TV
7. Man landing on the Moon
6. The creation of the laser.
5. The internet
4. Breaking the Nazi enigma code.
3. The Airplane
2. The Telephone
1. Electric Lights!

Friday, April 30, 2010

Thursday, April 22, 2010

Out with the old

I was talking web development with a colleague the other day and a thought popped in my head.  Six years ago an example of cutting edge javascript code was the broswer_sniff.js.  Now if I find something that sniffs browsers I want to make it go away as fast as possible. Amazing how techniques change over time...

This guy knows what it takes to ship software

Although he is writing a RPG and I write enterprise software I think our views on reuse and pushing out a product are very similar. 

http://jeff-vogel.blogspot.com/2010/04/how-i-saved-gaming-industry-overnight.html

You have to ship it to make money.

Wednesday, April 21, 2010

Convergence is here

As new versions of the iPhone, iPad and iTouch get cranked out we are seeing a refinement of these devices in fulfilling it's primary function - as a music player / phone / simple computing platform.  What the world has yet to understand is that these devices are about to become interwoven into every aspect of our lives. At some point an iPhone has enough storage to store your movies, music, files and any thing else that is digital. Your iDevice will be a transportation mechanisim for you to have your data with you everywhere you go.  What is missing right now is the interfaces to plug into to let your iDevice control your house AC, Dim the lights, remote start your car, or turn on your TV and change the channel.

What Steve Jobs needs to do right now is contact ViZio, Sony, Samsung and any other player in the AV industry that wants in on the ground floor of this ubiquitous new controlling technology.  Have them add a slot where the iDevice can plug in.  It could be with a USB type connection or a cradle or an actual slot that the device fits into.  This would work with mobile electronics too.  Contact the car entertainment manufacturers and have the same interface added. As the OS gets better at multitasking your home computing station ends up being just some large monitors you plug the iPad into. 

Why should anyone pay for a DVD/Entertainment system in their car anymore?  For $1000 I can by two iPads that will keep the kids happy for hours.  http://apple.slashdot.org/story/10/04/21/0747242/The-iPad-As-In-Car-Entertainment-System-Killer?from=rss

Android will follow suit, but the vertical integration is not there.  The winner here will be the consumer and Apple Computer Company.

Buy Apple stock now

By any other name would smell as sweet.

This is copied from somewhere, but is so funny I had to share

Everyone knows that if you are going to operate a business in today’s world you need a domain name. It is advisable to look at the domain name selected as other see it and not just as you think it looks. Failure to do this may result in situations such as the following (legitimate) companies who deal in everyday humdrum products and services but clearly didn’t give their domain names enough consideration:


1. A site called ‘Who Represents‘ where you can find the name of the agent that represents a celebrity. Their domain name… wait for it… is www.whorepresents.com

2. Experts Exchange, a knowledge base where programmers can exchange advice and views at www.expertsexchange.com

3. Looking for a pen? Look no further than Pen Island at www.penisland.net

4. Need a therapist? Try Therapist Finder at www.therapistfinder.com

5. Then of course, there’s the Italian Power Generator company… www.powergenitalia.com

6. And now, we have the Mole Station Native Nursery, based in New South
Wales:
www.molestationnursery.com

7. If you’re looking for computer software, there’s always www.ipanywhere.com

8. Welcome to the First Cumming Methodist Church. Their website is www.cummingfirst.com

9. Then, of course, there’s these brainless art designers, and their whacky website:
www.speedofart.com

10. Want to holiday in Lake Tahoe? Try their brochure website at www.gotahoe.com

Thursday, April 8, 2010

I'll make you an offer you can't refuse.

So I'm just thinking out of the box here.  What if in this world of malware you could pay for protection? I'm not talking about purchasing Auntie Virus or malware scanners. I'm not talking cash but computer time... Botnets are essentially cloud resources created through the unknowing installation of malware.  Large companies like Amazon, Google, and Microsoft are ramping up their cloud resources. What if a new business model came out that said I could give my allegiance (computer spare cycles) to an organization that would protect me.  Would this serve an incentive to provide a solution for safeguarding my PC?  How would this manifest itself?

We already know that botnets for different organizations have attacked each other.  What if this were some how commercialized?  Kind of like the business owner in the bad part of town paying protection money to the local hoods and then the Boss moves in.  Don't think it would not happen at a Geopolitical level either. We are pretty sure China has their resources.  Google is trying to challenge them.  Which is bigger?  Which will win?  Will this kick off the cyber arms race?  Each side ramping up more and more resources waiting for the day to press the button and corrupt the other side?

Wednesday, April 7, 2010

Patently Unpatentable

Are you kidding me???  IBM is attempting to patent optimization of a software program by trial and error.  Don't believe me? Look here http://www.google.com/patents/about?id=vYLJAAAAEBAJ&dq=refactoring+software. What's next, copyright on the binary 1?  How about patenting the process of determining if your PC is locked up and using Ctrl Alt Del to restart...

This has to be a late April Fools joke right?

Friday, April 2, 2010

WIRED Marketing Fail

So I am a subscriber to WIRED.  I am also a IT professional. I am fairly security conscious, not likely to fall for any phish. I see adverts and custom email campaigns all the time for different offers.  Here is one from WIRED that struck me as an opportune way to spear phish IT people.






This message contains graphics. If you do not see the graphics, click here to view




.
CONDE NAST PUBLICATIONS



spacer

Dear WIRED Reader,

At WIRED, we strongly value our reader's opinions. That's why, as Vice President and Publisher of WIRED, I'm personally inviting you to complete this online survey for our Preferred Subscriber Network™, an exclusive group of readers to whom we turn first when we want to get helpful feedback or to share the latest information on new products and services we think you'll enjoy.

As a thank you for completing this survey, you will be entered into a sweepstakes giveaway for a chance to win $50,000
*.

And, after completing the survey, you can enjoy all of the benefits that come with membership - including invitations to special events, private sales and new product announcements.

Simply click on the link below or cut and paste the link into your browser.

http://cnsurvey.biz/Instructions.html?magID=37&id=10000110175654790&w=2138&b=s


Thank you and welcome to the Preferred Subscriber Network™.

Sincerely,

Howard Mittman
Vice President and Publisher
WIRED


spacer
spacer

*NO PURCHASE OR SURVEY COMPLETION NECESSARY. To enter and for full rules, including alternate method of entry, click here
. Starts 12:01 AM ET February 16th, 2010 and ends 11:59 PM ET June 30th, 2010, when all entries must be received. Open to legal residents of the 50 United States/DC, 13 years of age or older (18 or older in Maine), except employees of Sponsor, Administrator, Promoter and their immediate families. Odds of winning depend on the number of Creative Presentations. If this Creative Presentation is selected, the odds of winning depend on the number of entries received through this Creative Presentation. Void outside the 50 United States/DC and where prohibited. ARV of Grand Prize: $50,000. Sponsor: ePrize, LLC, One ePrize Drive, Pleasant Ridge, MI 48069. Administrator: Equation Research, LLC, 453 E. Wonderview Avenue, #250, Estes Park, CO 80517. Promoter: The Condé Nast Publications, 1166 Sixth Avenue, 15th Floor, NY, NY 10036.





To remove this e-mail address from future communications regarding WIRED, click here




.

To view our privacy policy, click here




.

Privacy_administration@advancemags.com

Condé Nast Publications
1313 North Market Street
Wilmington, DE 19801 
 
 



Note the link they want you to click.  I almost did. What is waiting for me at cnsurvey.biz?  Check this out, when I mouse over this cnsurvey.biz link it actually wants to send me to http://links.mkt636.com/ctt?kn=1&m=2905913&r=MTM2ODQ5MDYxOTAS1&b=0&j=MTc1NTg3ODU3S0&mt=1&rt=0  Talk about disingenuous! Now my alarms are really going off.  Now I mouse over other links in the email.  They all point to links.mkt.636.com. Sure appears phishy. So time for some more research.

Here is the whois for cnsurvey.biz
http://www.domaincrawler.com/domains/view/cnsurvey.biz
Hmmmm...  Not a whole lot here indicative that this is run by WIRED or Conde Nast.


Here is the whois for mkt636.com...
http://www.domaincrawler.com/domains/view/mkt636.com
Check out the bit down near the end

MarkMonitor is the Global Leader in Enterprise Brand Protection.

Domain Management
MarkMonitor Brand Protection™
AntiFraud Solutions
Corporate Consulting Services


http://www.markmonitor.com/contact/index.php

Ok so obviously this is someone who thinks they are doing a service for WIRED and not a phish.  I disagree the they are protecting WIRED's mark by putting out a survey email that looks like a phishing attempt.  I also disagree that they understand a whole lot about fraud if they make mistakes like this url swap.

But consider this.  What if the phisher can conduct his look alike campaign at the same time that the genuine campaign is going on?  Now when a suspicious recipient calls they can be reassured by Wired's very own customer service to go ahead and click. Wow!

If you are going to do email marketing make sure the links point back to your domain.

Don't do screwy link substitutions. Show the links. 

This is almost as tempting as the 2 GB USB drive I found in the parking lot....  Not!

BTW.  I love the magazine.

Wednesday, March 31, 2010

Ubuntu opportunity to penetrate desktop segment

With all the malware and virus floating around today it is difficult to feel comfortable doing banking over the internet.  Sure it's going to be https, but what about that keylogger that is on your PC because your 10 yr old likes to download flash games?  Windows is the most attacked OS today.

Enter Ubuntu. With Ubuntu and remastersys you can make a cd (called a Live CD) that can boot up and allow your windows PC to be transformed into a secure platform for your internet banking.  This task is not what this post is about.  For that checkout this very good tutorial. There are also great tutorials on making a bootable USB drive, however, this will end up being less secure.  Why?  If you also happen to use that flash drive to store files on then it can be a target for malware and viruses.  That's why a read only copy of the OS is the best idea.

"But mybank uses two factor authentication".  Nice... but there is no way to assure the security of your transaction if you are operating from a compromised PC.  Check out http://blogs.zdnet.com/security/?p=4402
All you banks looking to spring for the RSA token for each account holder,  it's not going to help your customers.

What I would like to explore is the idea that Ubuntu has the perfect opportunity to get avg Windows users to experience the Ubuntu OS.  Once they become at ease with the look and feel it can't be too much of marketing effort to get them to switch for good. To that end Ubuntu should promote this use of their OS heavily.

And with more power!  Firefox should benefit too being the default browser in the Live CD.  This ensures that the user also gets a taste of FireFox as well.  This would drive their penetration too.

But wait there's more! Banks want you to use the internet to do business with them. It cuts down on their paper and processing costs. So much so that some banks are already considering providing these live CDs.  Just think of the opportunity here Mr. Shuttleworth.  Work with the banks and facilitate them distributing your software.  You can't get any more Tom Sawyer than that!

Here are some other sources for thought on this subject.

Any utility that would need to be created around this would be a good idea.  The one I can think of is a utility to save off a users bookmarks from their windows installation and then allow those to be imported into the Ubuntu image before it is packaged up into the Live CD...  Perhaps one that allows you to select the browser to be included?  Can you think of any others?

Tuesday, March 23, 2010

Obamanomics

So let's think about this.  We are adding 32 million people to coverage. The number of Doctors, Hospital beds, Clinics is the same...  Doesn't it make sense that getting an appointment will be harder?   I understand that the laws of supply and demand say that if there is demand a supply will rise to meet it.  It takes 2 years to build a hospital. It takes 8+ years to educate a doctor. How is this situation going to be anything but pain for this country for a least half a decade?

Insurance benefits will have no cap for payout, and I believe that they can raise rates...  but to handle this rise you can get a subsidy. So if I am not taking advantage of the full subsidy then I am leaving something on the table right? 

Can anybody clue me in on how this is supposed to work?  I'm afraid all that we have achieved is change for change sake.

SANS 2010 Conference

I just got back from the SANS 2010 conference in Orlando.  While there I took the Defending Web Applications security essentials class. It was a very good class.  While there I heard a discussion on the intrusions that China is perpetrating on the rest of the world.  Go Google!  If they want Google to observe their laws then they should observe ours.

Monday, March 1, 2010

Zoom in... Now ENHANCE!

We all love the movies where the satellite zooms in and in and in and then we see Jason Bourne about to take out a misguided bad guy.  Other movies like No Way Out (Kevin Costner) has a magic tape drive that can enhance the blurriest of photos.  Well the real world is one step closer to the second movie using a technique called compressed sensing.  Through the magic of math Mr. Costner would have been caught.  Wired has and excellent article at http://www.wired.com/magazine/2010/02/ff_algorithm. Now if they can combine the sat view with google street view and have the camera change perspectives once it reaches the ground.  That would be impressive!

Friday, February 19, 2010

A question of Business Intelligence

If you have ever read anything on Walmart's Business Intelligence system then you know it's the engine that powers much of the decision making for their stores.  It can reroute truck already en route, or suggest that a certain item should be on an end cap to maximize sales.  It can prompt the cashier to ask for ID when a purchase of alcohol is made.  Living close to the meth capital of the world it can also determine if the customer is purchasing more than 2 boxes of psuedoephedrine.

But what can this system really do?  Would it really catch the trend if a shopper were to purchase the following:

12 ga shotgun shells
trash bags
bleach
rope
a crowbar
a gas can
a hunting knife
a 6' x 9' rug

Perhaps the BI system would send a message to the POS terminal that the card can't be processed while it dials 911.
Probably not...   I doubt even the cashier would catch it either.  If you want try it and post the results to YouTube you could be the next YouTube star. Just another what if in this world of technology we live in.

Thursday, January 21, 2010

Setting up SSL with Tomcat

Many installations use a proxy server to front apache or tomcat for the content.  Recently an audit recommended that we use ssl to encrypt this internal traffic from the front end to the content server. Since it was a bit of black magic for me to find all the right settings, I'm going to do the work and show you the easy way.

I will use a self signed cert to do this.  Since the servers are on our internal network I'm not looking for the cert to validate the identity of the server I'm connecting with.  Instead I want the cert to facilitate SSL encryption of the connection from the front end server to the content server.

Making a self signed cert is easy if you know the right incantation for the keytool. I am using the following command:

# generating a new self signed cert for tomcat
keytool -genkey -keyalg RSA -alias tomcat -keystore keystore -storepass p455w0rd -validity 7300

This command tells the keytool to generate a key using the RSA algorithm and call the cert tomcat and the keystore file 'keystore' with a keystore password of 'p45Sw0rd' and make it expire 7300 days from now.

We run it and it generates a file called keystore.  Now we can get the keystore file to list itself with the following command:

# listing the contents of the keystore
keytool -list -v -keystore keystore


This will prompt for a password but you don't have to enter it because it will list it for you anyway (with a big warning about verification).

server1:511# keytool -list -v -keystore keystore
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Jan 20, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Michael Holly, OU=Software Dev, O=Pentaco, L=St. Louis, ST=MO, C=US
Issuer: CN=Michael Holly, OU=Software Dev, O=Pentaco, L=St. Louis, ST=MO, C=US
Serial number: 4b5743b5
Valid from: Wed Jan 20 16:29:09 CST 2010 until: Tue Jan 15 16:29:09 CST 2030
Certificate fingerprints:
         MD5:  7B:40:9B:B8:4C:52:AD:FA:D6:B3:59:81:25:88:4B:AD
         SHA1: 05:9E:03:4F:81:F6:5C:FA:DD:2F:DD:A2:A5:97:E9:D3:EE:13:DF:29
         Signature algorithm name: SHA1withRSA
         Version: 3 

Now that we have our cert let's put it in a location outside the Tomcat tree.  I'm going to drop it in a directory called /opt/tomcat_ssl. Using a location like this makes for a simpler upgrade for Tomcat as all we have to do install the new tomcat and move the server.xml over to the new install.

So now we have our keystore file in /opt/tomcat_ssl and we are ready to config tomcat to use it.

What we want to do it modify the server.xml to understand where the keystore is, what it's password is and any other parameters to control the encryption.  This is done by modifying the connector that tomcat is listening on.

<connector
           port="8443" minSpareThreads="5" maxSpareThreads="75"
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/opt/tomcat_ssl/keystore" keystorePass="p455w0rd"
           clientAuth="false" sslProtocol="TLS"
           ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_
RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3D
ES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />

The other thing to note here is we usually want to specify the allowed ciphers as some are weaker than others and should not be allowed. Here is the list of medium to high strength ciphers

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Note that if you are configuring an Apache server these ciphers are specified in a different manner. These values are specific to Tomcat only.

Restart Tomcat and you should be good to go.  To see if it is working hit the page, and then rename /opt/tomcat_ssl/keystore to /opt/tomcat_ssl/keystore.bak.  This should invalidate the setup. Restart Tomcat. When you hit the page again you will probably get a 502 Internal Server Error, depending how your front end server is configured.  Rename keystore back to the original and restart. You should be back in business. Enjoy!

Friday, January 15, 2010

Enema of the State in the rearview mirror

In my post from last June  Enema of the State I discussed some of the results that would happen from the bailout by the government of the banks and the auto manufacturers.  Well 6 months have passed and what I said back then is true.  The banks have realized that the government aid was a scarlet letter.  Most of them have paid back the money.  This is a good thing. 

The Ford Co is stronger than ever.  They were able to zig when GM and Chrysler zagged.  Hats off to the executive team there for having the cool headedness to not reach into the cookie jar like the other two.  It will pay off in spades in the coming 3 years.

It will be interesting to see how the rest of this crisis plays out.  Will the Volt be a yugo with a power cord?  GM will need to get the union membership to work in a different way if they want out of this.  I know Ed Whitacre likes a challenge.  He has a huge task reinventing GM with out alienating the union.

Wow that was rude!

Sometimes when shopping in a store you may find a item that has been priced incorrectly or the sale sign is incorrect.  At a brick and mortar store they usually let you have it for the displayed price.  Kind of a loss leader for good customers.  Well I had an odd experience recently at the Dell website.   I follow dealnews.com and dealuniversity.com daily to find tech bargains.  Recently I spotted an item that I wanted to pickup. It was a Hitachi SimpleDrive II 1TB External Hard Drive, $69.00 Shipped Free.  That's $50 off. Excellent price right?  Well I clicked the link and dropped the item in my cart.  Then I went to checkout.  I saw Dell had a input field for a coupon code.  So I put my checkout on hold and went to find some sort of coupon code that would make my price point even better.  After a bit I found the only coupon would bump my shipping from 7 days to 3-5 days for the same price.  So back to the checkout. I enter the code and my cart changes.  Now my total is more than double what it was...  What happened?  Looking closer I figured it out.  They had invalidated the item I originally put in the cart (without removing it) and added the same item with a different item number.  To me this would be the bricks and mortar equivalent of the stock boy running to the front and yanking the item out of my hands.  Once I have it in my cart I think you really should honor the price.