Category: Technology

Once Bitten Twice Shy

I’ve mentioned from time to time here about my fascination with Palm and their products. I still think WebOS is probably the best mobile OS out there (via playing with the major platforms through emulators and a little hands on time with devices). I’ve been saying I’m going to get a Pre at some point but have been holding out as of late because Palm is in complete disarray. Well the developers of one of my previously most used Palm applications, DataViz, has made a recent annoucement:

We are continuing our efforts to work with Palm to clear the path for a full editing version of Documents To Go. However, given the current environment at Palm, as well as the necessary collaboration with the device manufacturer that is required to bring an app like ours to a platform like webOS, our Documents To Go editor product for webOS is essentially at a standstill.

As soon as we have any additional information, we will inform you immediately.

Thanks for your passion surrounding our solution.

I bring this up because a history lesson is required. Not only is Palm in financial trouble they also have a history of screwing developers over. A few years ago Palm introduced what would have been the first netbook, the Foleo. It was a very small laptop-like device that synced up with your phone (and didn’t have much functionality without your phone). It was a neat idea honestly and I was planning on getting one upon release.

Developers worked on applications to release on the Foleo. Quit a bit of time and money was spent by developers to make sure their applications were ready for the fast approaching release date. Then at the last minute (a few days before the scheduled release) Palm cancelled the Foleo. That was it, nothing to see everybody, move along.

Their reasoning was sound (although way too late). They were working on what would become WebOS at the time. The Foleo operating system, although Linux based, was completely separate from their upcoming WebOS. Palm decided a unified user experience (in other words only putting time and resources into a single operating system) was the way they should go. They promised a Foleo II running their new platform at an unspecified future date which never game.

This story is important to bring up because it shows why developers are skittish to dump money into developing Palm software. Not only is the future of the company uncertain but they still remember getting screwed over big time from the whole Foleo debacle. Developers are none too happy when a platform developer pulls the keyboard out from under their tired coding finger tips.

So the strike against Palm is two fold at this point. They aren’t making money and their still in an untrusted position with developers who remember what happened those short few years ago. I think these two things are going to haunt Palm for many years (if they survive that long) to come.

The Stuff People Agree To

Have you heard of an end user license agreement (EULA)? You probably have. It’s a contract you agree to when you install most non-open source applications. Most people just click “I Accept” and move on with their lives without reading it. Of course sometimes the damndest things are agreed to like the Immortal Souls clause inserted by a online shopping site to make a point:

By placing an order via this Web site on the first day of the fourth month of the year 2010 Anno Domini, you agree to grant Us a non-transferable option to claim, for now and for ever more, your immortal soul. Should We wish to exercise this option, you agree to surrender your immortal soul, and any claim you may have on it, within 5 (five) working days of receiving written notification from gamesation.co.uk or one of its duly authorised minions.

Well Sony, no stranger to being complete asshats, an interesting clause in their EULA (I bring it up now because people started talking about it but this has been in the EULA for some time):

From time to time, SCE may provide updates, upgrades or services to your PS3™ system to ensure it is functioning properly in accordance with SCE guidelines or provide you with new offerings.

Some services may be provided automatically without notice when you are online, and others may be available to you through SCE’s online network or authorized channels. Without limitation, services may include the provision of the latest update or download of new release that may include security patches, new technology or revised settings and features which may prevent access to unauthorized or pirated content, or use of unauthorized hardware or software in connection with the PS3™ system.

Additionally, you may not be able to view your own content if it includes or displays content that is protected by authentication technology. Some services may change your current settings, cause a loss of data or content, or cause some loss of functionality. It is recommended that you regularly back up any data on the hard disk that is of a type that can be backed up.

Translated in to standard English it means Sony can push updates out to your system without requiring you to accept it or having to notify you that they’re doing it. If the update bricks your system that’s your problem and you’ll have to pay to get it fixed. Likewise they can erase any data on your system they please without notification and giving you no recourse.

Of course I’m just using Sony as a punching bag at the moment because their asshats. In truth many companies have similar clauses in their EULAs. Which is the point I’m trying to make here. Most people have no idea what they’re agreeing to when they click that “I Accept” button on the EULA window.

Let’s bring up another example, iTunes. Did you know that you can’t use iTunes to develop, design, manufacture, or produce missiles, or nuclear, chemical or biological weapons? Well you can’t because you agreed to the EULA.

What I’m really trying to drive home is this, read every contract you sign and every EULA you agree to. The shit that gets snuck in is absurd. It’s shit like this that pushes me towards free open-source software more and more every day.

Hello Kettle, This is The Pot Calling

If you’ve been paying any attention to the iPhone/iPad Flash pissing match you know it’s rather stupid. On one hand Apple is refusing to allow Flash on to their device because it could create competition to their app store ruin the battery life of their device. Adobe feels they have some kind of right to have their software placed on Apple’s platform. Well Adobe has claimed to quit attempted Flash development for the iPhone/iPad (I can’t say I blame them considering Apple went so far as to say you can only use Apple approved tools to develop for the iPhone/iPad now):

“As developers for the iPhone have learned, if you want to develop for the iPhone you have to be prepared for Apple to reject or restrict your development at any time, and for seemingly any reason,” Chambers said. “The primary goal of Flash has always been to enable cross browser, platform and device development. The cool Web game that you build can easily be targeted and deployed to multiple platforms and devices. However, this is the exact opposite of what Apple wants. They want to tie developers down to their platform, and restrict their options to make it difficult for developers to target other platforms.”

I honestly thought the point behind Flash was to waste my laptop’s battery through absurd CPU usage. But Mr. Chambers is correct in that Apple’s goal is to lock you into their platform while preventing easy cross-platform development that would make it easier for their customers to jump ship. It’s the same thing most software companies have been doing since the dawn of pay-for software. Of course the pot decided to call the kettle black:

In a response, Apple indicated its preference for a variety of up-and-coming standards that collectively compete with what Flash can do.

“Someone has it backwards–it is HTML5, CSS, JavaScript, and H.264 (all supported by the iPhone and iPad) that are open and standard, while Adobe’s Flash is closed and proprietary,” said spokeswoman Trudy Muller in a statement.

H.264 is not an open standard. People who wish to use H.264 are required to license the technology. Furthermore although the web browser on the iPhone/iPad uses HTML5, CSS, and JavaScript the applications themselves are not written using those technologies. Adobe was not only trying to get web based Flash onto the iPhone/iPad but also trying to make technology that ported Flash applications to a format that could be utilized on the iPhone/iPad which is a close platform.

Either way this debate really is stupid. Apple has no obligation to allow anything on their device they don’t want to allow. Likewise you are not obligated to purchase and use Apple’s phone/tablet if you don’t like their rules (which is why I don’t have an iPhone or iPad).

Firefox For The Truly Paranoid

A while back I mentioned that I dropped Google Chrome and returned to Firefox. My reasoning revolved around features unavailable in Chrome which was available in Firefox through extensions. Well the two features I wanted most have been added in a previous build of Chrome: the ability to block all scripting except for pages I white list, and better cookie management. Yes I’m still on Firefox. Why? Because Chrome’s script blocking and cookie management features are severally lacking in my opinion.

In Chrome’s advanced settings you can chose to block all scripting and cookies from sites not on your white list. This is exactly what I want as scripting is the defacto method of exploiting a computer these days and cookies are tools for spying on sites you visit. The problem is Chrome’s interface for it’s script blocking sucks. If a site has scripts that are being blocked an icon appears in the address bar. If you click on this icon you have two options: keep blocking scripts or white list the sight. NoScript on Firefox gives a third option I’m very fond of, temporarily allow scripting. I only white list sites I trust and visit frequently. But oftentimes I find myself visiting websites that require scripting to be enabled in order to gleam information from. In this case I temporarily allow scripting, get the information I need, and know that scripting will be disabled automatically for that site when I close my browser. It’s a great feature.

Likewise NoScript blocks more than scripting. It also notifies you of things like attempted cross-site scripting attacks, forces cookies from an secured site to be sent via HTTPS, and blocks all plugin components like Flash movies until I give my expressed go ahead. But Firefox has some other features available via plugins that I can’t replace via Chrome because frankly Chrome’s extension support sucks. In Chrome an extension can’t block items from being downloaded when you view a page. For instance if you install Adblock in Chrome the advertisements from any websites you visit will always be downloaded but Adblock will simply hide them through the use of CSS. Firefox on the other hand gives extension developers granulated control. For instance if I set NoScript to block scripting on www.example.com no JavaScript files will be downloaded when I navigate to www.example.com. Likewise Flash advertisements will not be downloaded unless I enable scripting and click on the individual Flash item.

Overall Chrome is more secure than Firefox’s default installation. In Chrome everything runs in a sandbox which means in order to exploit the browser you must exploit its rendering engine (WebKit) and it’s sandbox. Using the right extensions in Firefox I can ensure no potentially malicious scripts are even downloaded to begin with. An ounce of prevention is worth a pound of cure. Ensuring malicious code is never even downloaded in the first place is a better security option than downloading the code and depending on the sandbox to prevent anything bad from happening. Ideally having both abilities is the best option which Chrome allows for JavaScript but again it doesn’t check for other potential malicious content like NoScript does.

So yes Firefox is a much slower browser that is a big on resources. But the power extension developers have in Firefox means you can make the browser extremely secure whereas in Chrome you can’t enhance its security outside of methods Google allows. Due to this I’m still on Firefox and will be for the foreseeable future. Since I’m here I thought I’d let everybody know what security related extensions I’m using.

NoScript: I love this extensions. I will go so far as to say this extension is the primary reason I’m still using Firefox. What it does is blocks all scripting on all websites unless you add said site to your white list. You can add a site to your white list either permanently or only temporarily if it’s a site you don’t plan on visiting again. It complicates web browsing and therefore isn’t for everybody (or even most people I’d venture to say). As a benefit most of those annoying flashing advertisements get blocked when using NoScript. This extension is constantly being updated with new security related features.

CookieSafe: Cookie safe is a plugin that allows you to managed website cookies. There are three options available for each web site. The first, and default settings, is to block cookies all together. The second option is to temporarily allow cookies (they will be wiped out upon closing your browser) and the third option is to add the website to your white list which will allow cookies for that domain. The plugin only allows cookies from specific domains meaning you don’t have to worry about third party cookies getting onto your system (although this feature is available on most major browsers the implementations generally suck).

Certificate Patrol: I’ve mentioned a research paper I’ve read recently that talks about SSL security and it’s ability to be exploited by governments. Although there is no sure fire way to detect and prevent this kind of exploit you can strongly mitigate it. Certificate Patrol is an extension that displays all major certificate information for a secure web page the first time you visit it or when the certificate changes. So when you visit www.example.com the certificate information (we’ll assume it’s a secure site) will be promptly displayed by Certificate Patrol the first time you navigate your way there. If the certificate changes when you visit the site again the new certificate information will be displayed including what has changed. One mechanism to catching a certificate is looking at the issuer. For instance Internet Explorer trusts the root certificate for the Hong Kong Post Office. If you visit www.example.com and Certificate Patrol notifies you that the certificate has changed and the new one is provided by a different root authority you know something could be up. If the site’s certificate was previously provided by VeriSign and the new one is provided by the Hong Kong Post Office you know something is probably fishy. This could point to the fact the sight is not actually www.example.com but a site made by the Chinese government in order to capture information about dissidence who visit www.example.com (obviously some DNS spoofing would be required to redirect visitors to their site as well).

Those three extensions help mitigate many common web based attacks. This post is not to say none of this can be done in Chrome though. For instance you can manually check for certificate changes in Chrome but you will have to do it every time you visit a site to see if the certificate changed or not. Certificate Patrol simply automates that task. Likewise you can block cookies and scripting in Chrome but the interface to do either is more cumbersome than using CoockieSafe and NoScript.

Personally I value security over performance and that is why I’m still sticking with Firefox.

On The FCC Vs. Comcast Case

A while back the FCC brought down the hammer on Comcast telling the not-loved-by-anybody company they could not throttler or filter traffic. Well the courts decided that the FCC didn’t have that authority so Comcast is free to go back to their games again. This has been a major topic of discussion with geeks as of late because it pretty much rips the teeth right out of the idea of net neutrality. Or does it?

The Internet is an interesting creature. It’s predecessor was created during the Cold War as a mechanism to ensure the country didn’t have a single vulnerable point in it’s military communications network. The idea was to create a decentralized system that couldn’t be taken down by one or a handful of nuclear strikes, thus allow us to coordinate a counter-attack. Eventually this research lead to the public Internet that you’re using right now.

From the get go the government has been involved in the Internet. Likewise most of the major ISPs are companies that evolved from the breakup of Ma Bell which was a government sanctioned monopoly over all telecommunications in the country. Needless to say the entire system is infected with government interference. Until a short while ago the rules dictated to the ISPs was they had to allow all traffic to flow across their network without prejudice. This mean they could not throttle traffic crossing their lines that was emitted by or destined to another ISP. These ISPs also couldn’t throttle or filter traffic in any way. Now that this is no longer the case people have been clamoring for the government to enforce net neutrality again.

A lot of people are stating how scary it is to think about these companies have the power to filter traffic and how the only solution available to us is for the government to make laws that prevent this. You know what I find scarier? The government have more control over the Internet. Why? No current representative that I’m aware of has a background in technology, specifically networking. Likewise the government always managed to find the least qualified people to head committees and regulatory groups. Remember, “The Internet is a series of tubes” Ted Stevens from Alaska? Guess what. He was in charge of Internet regulation.

Do we really want people like this making laws that will regulate the Internet? I don’t. But I’m also a fan of net neutrality so what could possibly be done to ensure the Internet stays neutral while the government stays out of it? There are actually several options available.

In order to setup an ISP you need two items controlled by private entities. The first is a block of IP addresses while the second item is one or more domain names. Both of these are controlled by a private company called the Internet Corporation for Assigned Names and Numbers (ICANN). A potential option available would be for ICANN to require ISPs to agree to a series of rules that would in essence be net neutrality. If the ISPs won’t sign the agreement ICANN simply won’t allocate IP addresses or domain names. Simple. If an ISP really doesn’t want to play by these rules they can create their own Internet (you can create multiple global networks separated from one another thus having multiple Internets) and of course nobody will use them.

I’m not suggesting this saying it’s the right solution. This suggestion is being made as a potential mechanism of enforcing net neutrality while also keeping morons government out of the equation. But the idea of putting an entity who put Ted Stevens in a situation to made any regulations on the Internet is frightening.

On The Collateral Murder Video

I’m sure everybody has seen the video of the Apache helicopter crew shooting a group of civilians and two reporters. I wasn’t there so I’m no going to comment on the even itself, I’ll leave that to people who want to argue about that. But an interesting point is brought up by Bruce Schneier. The following was stated on the WikiLeak Twitter stream:

Finally cracked the encryption to US military video in which journalists, among others, are shot. Thanks to all who donated $/CPUs.

Bruce’s question is simple:

Surely this isn’t NSA-level encryption. But what is it?

So WikiLeaks is saying the Collateral Murder video was encrypted upon receipt. They rented “super computer time” to break the video encryption. So what the Hell scheme was used to break the encryption? Although Wikipedia is far from a valid source of information I’m going to link to the article on AES encryption because it gives a good overview. Specifically this part:

The National Security Agency (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for US Government non-classified data. In June 2003, the US Government announced that AES may be used to protect classified information:

The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.”[8]

So considering this video was classified it would most likely have been encrypted using AES. There are some attacks currently available against AES but none of them allow breaking in a reasonable amount of time (depending on the implementation of AES used of course). Of course there is the possibility that the video was encrypted using a poorly chosen key and the WikiLeaks people simply performed a brute force attack against the video. It would seem idiotic that somebody would both encrypting this video using a strong encryption algorithm but not both using a good key. Then again this is the government we’re talking about and they are known for incompetence.

I would like to hear from WikiLeaks what method was used to encrypted this video. It would be interesting to find out not only what algorithm was used but also if the video was encrypted by the military, other government personnel, or the person who leaked the video.

I Think I Can Answer This

A difficult question has been put forth in regards to Apple’s recently released iPad (you may have heard about it):

Doing a little coding, we’ve discovered that iPad apps only have access to 256MB of RAM and the processor thinks it is a single core (probably ARM Cortex A8) processor.

So how does Apple get applications to run so fast? Thanks Thomas!

Considering the device can only run one third party application at a time I’d say you have your answer. If developers have gotten so bad that they can’t get their small application aimed at mobile devices to run on an single core processor with 256MB or RAM then they have failed as a developer. Seriously my old Palm PDA opened and ran applications instantly and it has a paltry 16 Mhz processor and 512KB of RAM which was split between storage and application use.

Large Hadron Collider Begins Experimentation

Good news for your science folks and bad news for your conspiracy folks, the Large Hadron Collider has experimentation. There isn’t much I can say about this thing since I don’t understand most of the principals behind it nor what it hopes to accomplish. But unlike most people who don’t understand a technology I don’t see this thing causing the end of the civilization/Earth/Sol System/Milky Way/Universe/Multiverse. I just think it’s cool that after all these years and failures the damned this is actually running.

LET THE SCIENCING BEGIN!

The Weak Link in Computer Security

People often talk about the inherit lack of security in Microsoft Windows and Internet Explorer. Very seldom does anybody talk about the weakest link in computer security, the users. In the latest Pwn2Own contest, a contest where participants attempt to break into various computers to win them, 64-bit Windows 7, Mac OS X, and even the iPhone all fell. But there was a common theme running here, none of the systems feel to a direct attack.

All the hacked systems were broken into via exploits in their web browsers. Internet Explorer 8 and Firefox 3.6.2 were used to break into the 64-bit Windows 7 systems while Safari was used to break into both Mac OS X and the iPhone. Each browser was broken into by crafting a malicious web page and have the users of the system navigate to it.

But once again none of the systems at this contest were broken into without the need for human interaction. This brings up the fact that human beings are now the main component being attacked (Granted it’s been like this since the dawn of computers). The only way to protect yourself is through education. Do not click on random links that people send you regardless if you known them or not. It’s a simple thing to learn really but the motto in security is trust no one and you should follow that slogan when on a computer.