RSS 2.0 | Atom 1.0

Sign In


# Friday, October 15, 2004
Note to Guatemala: It's not Christmas yet

It's what, mid-October? Already (and for the past two weeks I think) there are Christmas items for sale at stores, and Christmas jingles playing on the radio down here. October, November, December. That's 3 months out of the year. 3/12 -- One QUARTER of the entire year is devoted to Christmas-related marketing. And the countdowns. They do countdowns. First, the number of days until December “the nicest month of the year”. Then the countdown to Christmas itself. What drives this lunacy? Seems like something that goes on for a quarter of the year would loose its feeling of specialness.

Friday, October 15, 2004 9:17:41 PM UTC  #    Comments [0]  |  Trackback

MySQL is really secure... or bad.

I chose MySQL to use as my database, since I was writing on Linux, in C, and it just seemed like the easiest path. Can someone please say “you were so wrong”? MySQL has to the worst DB engine out there. It doesn't (ok, just added) even have support for SUBQUERIES! Barely has support for multiple charsets. And... binary(20) is NOT a binary field 20 bytes long. It's a char(20). You can't execute multiple commands in a single query. It's embarrassing to open source really. I don't know who could argue that MySQL is competition for SQL Server or Oracle and keep a straight face. Check this list out: http://sql-info.de/mysql/gotchas.html (I really love the part about date handling.)

On the other hand, it's very secure. www.kalea.com.gt <-- No checking of user input whatsoever. (BTW, my little article about Kalea made me a top search result for Kalea Guatemala -- while their site doesn't even show up.)  They take your querystring, concat it to their query, and off it goes. But guess what? Good luck trying to hack it. MySQL is so poor, doing SQL injection and achieving anything fun is nearly impossible. So much for adding prices to their site :). Oh wait, you can do a DoS by using the BENCHMARK expression and then encode/Sha1/etc.

So what am I going to do? Switch to SQL Server as soon as I get a release candidate done. I'm going to load Mono into my C app, and then transition into managed code and use some nice TDS libraries and have a good day with a database that actually works well. Had I done that to begin with, I'd be a few hours ahead of schedule instead of behind schedule...

Code | Humour | Misc. Technology | Security
Friday, October 15, 2004 4:18:53 AM UTC  #    Comments [2]  |  Trackback

Visual Web Developer is so nice

I've been working a bit on the web-side of my VoIP application, obviously in ASP.NET (hey, just because Asterisk runs on Linux doesn't mean I'm completely converting!). I'm finally getting to use VS2005 full-time. The Web.NET has done an awesome job of fixing up the editor. Pretty much everything that really bothered me and sucked about editing pages in VS has been fixed. Selecting elements is so easy. Navigating the HTML is simple (and doesn't loose formatting!). The built-in webserver (and no IIS requirement!) rocks for debugging. I'm just quite surprised at how good everything is. I saw all the cool features a year ago, so I knew it was supposed to be nice, but just using it drives the point home.

Code | Misc. Technology
Friday, October 15, 2004 3:03:58 AM UTC  #    Comments [0]  |  Trackback

Relax: Product teams know what they're doing?

I take Visual Studio very seriously. I spent more time in Visual Studio than in anything else, so potentially any problem in there can easily ripple out to the rest of my life. Thus, when things break for me (i.e., removal of database diagrams, ASP.NET compilation model mess up, etc.), I really, really worry.

What I'm slowly accepting is that as much as Visual Studio/.NET/etc. matters to me, it matters to the respective product teams even more. So I should be able to lay back, relax and enjoy my time 'till my eyes roll back and the next version ships, right?

It's sort of like the Year 2000 issue. I knew a lot of end users (say, people owning electrical devices), who were moving to the mountains, stocking up on supplies, preparing for The End, etc. , while saying stuff like “the power grid has microchips that can't handle the year 2000”. These people also wouldn't know what a power grid was if one landed on their head. Did they really think that the electric companies (or any company) wasn't at least as concerned as they were? As if having their grandma spouting nonsense was going to get the attention of the CTO of the local power company?

That said, I'm of the strong opinion that I'm not an idiot, and at least somewhat clued in as to what to expect from certain products :). A few things have gotten me hyper during the last year, but I believe the product teams have handled or are in the process of handling most of them. So I have to wonder if somehow me + n other people “overreacting” is what drove these changes, or the product teams just woke up one morning and said “hey, this sucks”. At least with Ladybug, ahem, the MSDN Product Feedback Center, we should be able to get a bit more insight on what really goes on with certain issues. What I'd really like to see is a bit of explanation with each resolution -- if something's a Won't Fix, knowing the reasoning behind it can go a long way in soothing users.

Misc. Technology
Friday, October 15, 2004 2:55:41 AM UTC  #    Comments [0]  |  Trackback

# Thursday, October 14, 2004
Dell Axim 50v -- this is a handheld!

I really want to get a Tablet PC, but I just haven't seen a model that's right yet. However, I have found a handheld that's just awesome: The Dell Axim 50v. Check out these specs:

* 3.7” Screen
* 640x480 resolution @ 16bpp // YES, that's full VGA resolution
* 624 MHz Intel Xscale PXA270 processor
* 128 MB Flash ROM and 64 MB SDRAM memory with XMB (cross media bar) on-screen navigation to access memory
* Integrated 802.11b Wi-Fi and Bluetooth 1.2
* Intel 2700G multimedia accelerator with 16 MB of video memory, providing DVD-quality video playback and supporting dual display capability for professional presentations
* VGA-Out (extra)
* Integrated CompactFlash Type II and Secure Digital / SDIO Now! / MMC card slots
* Headset / headphone jack (cell phone replacement anyone?)
* Full duplex 16-bit 44.1 Khz audio

Now THAT's a lot of handheld for $500.

Misc. Technology
Thursday, October 14, 2004 5:08:13 PM UTC  #    Comments [0]  |  Trackback

# Tuesday, October 12, 2004
Why do we lose the ASP.NET 1.x compilation model in ASP.NET 2?

Writing the Turing ASIX brought me back to a really sore spot in ASP.NET 2: Lack of a good compilation model. In ASP.NET 1.x, you could compile all your code (*.cs) into an assembly, and you were set. Here's why I hate the new “code-beside” and “dynamic compilation” models as they are implemented in VS 2005:

--Deployment/content editing nightmare
Before, I could drop the DLL on the server, *have no source code* on the server, and allow someone else (i.e., my client), to edit the ASPX/ASCX content. In a few cases where I wanted to expose code to him, I could make a virtual method in the base class, and allow him to override it via C# code in a <SCRIPT> block. With the new VS 2005 model, my scenario is blown away and destroyed.

--Access to code means huge, ugly, hackish workarounds
Before, if I made a page/class/control/whatever in any part of my app, I could reference this from any other part. For instance, my Turing image generator. I have two statics on it that any page can call. I want that code to be in Turing.asix.cs (or in the .asix). But I can't! I am required to put it in the /Code directory for no reason at all. Maybe this was done because of the “web programmers” who think HTML is a programming language. Maybe it was to act as a ward to scare of people who are afraid of code. I can't figure it out. All I know is that it pisses me off. This problem is more serious than just my annoyance about moving one file.

Suppose I'm working on a larger site, and to keep things in line, I organize the site into various folders. Now say I'm in something like /TheSite/SomeArea/HierarchialViews. I have a few ASCX controls there, but they all share some common code (some enums, and some pure code classes that help with the sorting or organization for the views (say, something that generates a generic tree to be consumed). Where do I put the code? Well, with this new model, I've got to put it in /TheSite/CODE/SomeArea/HierarchialViews. In other words, I'm required to duplicate my entire site organization inside the Code directory, just because... um, well, I haven't found a decent reason yet.

The ASP.NET/VWD/whatever team should NOT be making these kinds of decisions for developers. Visual Studio should be a tool that we can use to write apps how we want to write them. This model worked fine for 1.x. Why has it become so hideous that they needed to REMOVE it from 2.0? With all the huge advances ASP.NET 2 and VS2005 take, why must they take this big jump backwards? Couldn't they just leave it in and say “You can do this, but we really recommend using a Code folder so you don't lose track of your .cs files.”??

The only *partial* reason for this behaviour that I can tell is the move to partial classes. Since it's a partial class, it needs the rest of the code generated from the ASP.NET runtime to compile. *I* was quite happy with the inheritance model used before. While partial classes are nice, *I* don't see any personal benefit in using them if it's going to introduce problems like this. At any rate, that still doesn't explain why I can't have a Foo.cs inside any directory (not just the /Code directory) and be able to use it.

Code | Misc. Technology
Tuesday, October 12, 2004 1:38:46 PM UTC  #    Comments [2]  |  Trackback

A baby...

Just got back from LA, where I was attending the Internet Telephony conference. Just when I thought things couldn't get more exciting, my wife tells me: “I'm pregnant.”. Very cool. Can't say much more than that it's completely amazing and quite exciting.

Tuesday, October 12, 2004 1:40:08 AM UTC  #    Comments [2]  |  Trackback

Turing image generator for ASP.NET

Today I was coding a site, and I realised I needed an easy way to avoid automatic signups. So, I did what everyone else does: added a Turing image. Since I was coding in ASP.NET 2.0, I thought it'd be nice to try out the new ASIX image generator type page.

It's pretty nifty. Nothing that you couldn't do with an ASHX in about 5 minutes, but still pretty cool. What I like is that the template starts you off right where you can start coding against the Graphics object. This will definately make entry much easier for people who aren't as comfortable with these classes. In the past I've normally been against things like this (i.e., a whole set of code just to save some minor work for one specific case), but I think this was a pretty good thing to add.

Download the code here: Turing.cs.txt. This is for ASP.NET 2.0 -- just create a new ASIX and point it at the Turing class. But, it should be pretty simple to hook it up into ASP.NET 1.1. If anyone seems interested, or somehow I get more free time, I'll post the required ASHX handler. Anyways, from ASP.NET 2, all you need in your main page is this code:

string nonce = Turing.GenerateNewNonce();
"turingNonce"] = nonce;
this.turingImage.ImageUrl = "~/Turing.asix?nonce=" + Server.UrlEncode(nonce);

Then, to verify (say, in a validator) just do:

Turing.Verify((string)ViewState["nonce"], myTextBox.Text);

Just be sure to set EnableViewStateMac to true (otherwise someone can set the “nonce” to something known and render the system ineffective).

Note, I originally wanted to use a nonce system, but instead ended up using a simple encryption. So, it's possible to record the output of an image once (via the querystring data) and store it for later use (until the ASP.NET app restarts). I also use the Random class instead of the RNGCryptoServiceProvider.

As well, since I only use 5 capital roman letters, some basic AI should be able to defeat the algorithm. Add more letters, lines, change colours, etc. to make it stronger. There's some commented code that adds a dark gradient background. Playing around with this could make it harder for AI, at the cost of making it hard for your users.

I realised that the way things were, an attacker could request the image multiple times, and get a different output (since the noise is random). This could be used to run a couple of extra passes on the same code, and increase the accuracy of AI against it. Or an attacker could request the code enough times to get an image that isn't that distorted and attack that.

The fix is to seed the random generator with something we can calculate from the nonce (to ensure it's the same image each time), and something the attacker cannot know (so he can't just run our code and see where the lines are). I do this by encrypting the nonce, and taking the first 4 bytes as a seed for the Random class. At 5:33am, this seems solid enough to ensure the numbers are not known to the attacker.

Here's the updated code: Turing2.cs.txt

I think I'm going to A) Add some image transformations to 'warp' the text somewhat, and B) really create a nonce system, instead of just relying on a simple encryption.
Code | Security
Tuesday, October 12, 2004 1:19:43 AM UTC  #    Comments [0]  |  Trackback

# Sunday, October 10, 2004
MPAA/Security silliness strikes Miraflores mall

I went downtown to the newest mall built in Guatemala: Miraflores -- yet another example of a design that'd make anyone with any amount of architectural sense sick. Built by the bright people over at spectrum.com.gt. At any rate, being somewhat bored, I decided to watch a movie. The theatres in the new mall aren't that bad.

As I walk into the mall, I see a very interesting sign: No pets, guns, cameras or video cameras allowed. While I can understand the first two items (although, seeing a rabid Akita hunting people in a Gap would be amusing), what crackhead came up with the new [video] camera idea?

At the information desk, I verified that indeed, they did mean no cameras allowed. What possible premise? Security. Apparently taking photographs of public places is somehow a threat. So I pushed a bit more... “How exactly does this improve our security?” “Um... hmm... uh, I think there was a problem at another mall, so they're just doing it in case.” In other words: “no freaking clue”. I also asked if they check people for cell phones, since you could have a camera phone and covertly take pictures. She assured me they'd find people doing that and confiscate their phones.

Later on I find out that the cinema has a $500 reward (which is probably 2x the monthly salary of the people working at the cinema), for finding anyone recording the movies. At the beginning of movies, they play a stupid commercial about not to pirate movies, and compare it to stealing a car (again showing how spaced out the MPAA is). They actually have people with night-vision scoping the audience out during the entire showing.

Now, I'm aware that they do this in the states. The stupid part is that in the USA, movies come out before you can buy them on DVD, download DVD-rips (ok, not always), or rent them at your local movie rental store. Not so in Guatemala. The movie industry is quite backwards, and releases shows much later in different parts of the world (hence their retarded DVD region coding crap). Well, by the time a movie hits Guatemalan theatres *there is no market for screeners of that movie*!

I selected one movie to watch, but my sister told me they had rented it two weeks ago. Others I had seen in theatres in the USA or downloaded DVD-rips of months ago. Some were even at Blockbuster, less than 1km away. All of them are readily available by street vendors (in your choice of VCD or DVD). Yet they still find it necessary to go to extra lengths and “prohibit” cameras to stop this huge screener racket. Silliness. I'm sad to think that some of the population here might A) actually believe them B) not be offended that a company tries to take away their freedom to carry a camera around.

In the sake of prosperity for the country, I'm planning some fun with these people:
1: Photograph and chart the entire mall.
2: Post pictures and schematics here. [For added bonus, mark up the schematics with writing in a script they don't understand.]
3: Distribute flyers at the mall with a URL; email Spectrum.
4: Enjoy the response.
1: Get some empty rolls of toilet paper or other cardboard items.
2: Add a red LED to these items.
3: Distribute at the theatre.
4: Watch employees go nutty thinking they're going to get $50,000 in reward money.
5: Have even more fun when I refuse to surrender my cardboard box.

Just need to find the time...

Guatemala | Humour | Security
Sunday, October 10, 2004 10:50:57 PM UTC  #    Comments [5]  |  Trackback

# Sunday, October 03, 2004
The red X of suckiness

I opened Windows Media Player 10 (which STILL doesn't have a shuffle feature that works) and saw this:

Not sure which service corresponds to the red X, but all of them suck (CinemaNow being the worst piece of crap “service” I've ever seen -- and they want you to pay for it!), so it's all.

On a related note, does anyone know to remove that part of WMP and put something useful there?
Humour | Misc. Technology
Sunday, October 03, 2004 6:25:00 PM UTC  #    Comments [2]  |  Trackback

Kalea: We don't prices on our site because they might change

Kalea is a furniture store in Guatemala that pretends to be more upscale and “cool”. Some of their items are pretty nice, others are just marked up 300% for no reason. At any rate, for a while, they had no functional website (just an “under construction” page). Well, I recently checked their site (www.kalea.com.gt), and was joyed to find out that, alas, they have a product listing. Yay! Now I could see if there is anything new or good to buy without driving downtime and wasting time in the store. Was I wrong.

First, the product gallery consists of one crappy photo of the product. Second, the description (in all caps for no apparent reason), consists of one short line, such as “Wooden console. Metal legs. Polished wood finish.” This, coupled with the crappy pictures, ensures you have no idea what the product is. I've looked at tables and I have no clue if they are small two-foot night stands or great hall dining tables. Silly. But even so, I could probably get some clue if they had a product I was interested, and then go down to the store to inspect and buy. Not quite.

Kalea has decided NOT to put prices on their site. Instead, they expect you to “request a quote” for every item you might be interested in. Now, their prices range from $30 - $1500 (or more) for furniture, and sometimes their prices are just outright crazy (say, their rugs, which are 3 times more expensive than the exact same rug in a store across the street). Thus, knowning the price becomes even more critical. “Hey, that looks like a nice light. Oh wait, $300 for a lamp? Forget it.” Also, before sending a quote, they ask you to fill in a form full of your info (rather than just an email address). So, I wrote them “Why the hell are there no prices”? Here's their response (they responded in English):

Thanks for writing. The registration is needed so we can have your real information. Our website is intended for information only, this is a e-business site and not e-commerce site. If you can see, the cart is used to make a quote (Cotización), we will receive the list of products that you are interested on, and in a short time we will send you an email with the quote. We are using our site as a catalogue of products, they can be at sale, promotion, or not in store (but we can export them for you), so the prices may vary, and that is why we don´t post them.”

Don't you love that last line? I guess they've never heard of databases that have the UPDATE command, or perhaps that you can actually edit data. Also amusing is the phrase “this is a e-business site and not e-commerce site“, as if I'm supposed to say “Oh, I'm sorry; now I understand.“ Sigh.

Guatemala | Humour
Sunday, October 03, 2004 1:01:47 AM UTC  #    Comments [1]  |  Trackback

# Wednesday, September 29, 2004
VeriSign makes it easier to pose as a child online
i-SAFE and VeriSign announced their new product for kids: a USB device that acts as a smart card with the cute name of “i-STIK“ . Apparently the problem of people posing as children online to later abduct them, or perhaps just get a thrill out of pretending to be 12 again and talking with kids, is very large. So the plan is to authenticate all kids online. VeriSign says adults posing as kids will stick out “like a sore thumb“, since they won't have a USB key/device/card/stick. What's wrong?

Well first, it won't work. There'll still be tons of kids without the cards, so it's dubious that other kids will stop talking to non-carded kids. Apart from that, software support is still non-existent. Last time I checked, IRC didn't offer a way to use a smart card. All sorts of communities would have to adopt this system. Also, it's “owned“ by i-SAFE and VeriSign, meaning that implementing the system comes at a benefit only to those companies.

Will the system allow kids to send S/MIME email? Half the people I know can't verify my signed email or have no clue what it was. One person (who works for a telecom company) got so confused about my signed email that he couldn't figure out how to foward the message (no idea which mail client he was using). And suddenly, i-STIK is going to solve all these software and end-user problems? Yea right.

The claims made on that page are so utterly ridiculous: “...empower our youth with the key to unlock safe doors on the Internet...“ and “...I am pleased that i-STIK technology will protect children from Internet predators...“. But these quotes show the lack of understanding and complete trust people are putting in this system. And this is where it gets bad.

Since this will be touted as “100% secure“ and “perfect“, (much as SSL is touted by cert-selling companies), the true issues will be ignored. Just like in biometrics, failure can be quite devastating, not because of the technology, but because of the trust placed in it. There are millions of kids in the states. That's a lot of tokens. And somehow, VeriSign is going to ensure that tokens aren't correctly issued? Remember, VeriSign is the company that couldn't even stop themselves from issuing fraudulent certificates in Microsoft's name. And now they're going to issue tokens to kids? Issuing a token to a child is harder, since this is supposed to be an “anonymous“ system -- i.e., no personal data of the child is stored.

So what happens when tokens end up in the wrong hands? Well, parents, children and teachers are taught to implicitally trust the tokens in whatever form they manifest themselves (an icon next to the person's name in the software?). Thus, when an attacker has a token, he can freely impersonate any child he wants, and even assume multiple childish identities (due to tokens being anonymous). Now instead of having usual caution when the attacker makes a move, everyone trusts that it's ok, “since the little kiddie icon is there“.

Fortunately, the system will probably fail due to other reasons, so we won't need to worry about this. But if it somehow succeeds (through clever marketing)... beware. The money going into such system would be much better spent on education for kids, parents, and teachers. If your child is going to happily run off with someone they met online, no amount of technology is going to save him/her.

Press release: http://www.verisign.com/verisign-inc/news-and-events/news-archive/us-news-2004/page_016237.html
Wednesday, September 29, 2004 9:13:23 PM UTC  #    Comments [1]  |  Trackback

# Wednesday, September 22, 2004
TCP Throttling Support

Had to handle my first support incident from XP SP2's great bug ^H^H^H^H feature that is TCP throttling. Somewhere, MS started listening to Steve Gibson when it comes to security. So they turned off RAW socket support in XP SP2 and added TCP throttling. TCP throtting was added late in the game (I'm pretty sure it was at RC1 or later).

While there's no real reason to do these things, MS claims it adds security, because when a virus runs, it's absolutely impossible for it to use it's own driver or get around “safeguards” like this, right? Sigh... MS usually had well thought out security measures, always keeping in mind if malicious code is running as admin -- it can do anything! At any rate, XP SP2 limits the number of pending TCP connections to 10. Yes, 10.

More than security, it sounds like MS wanted to cripple P2P networks, as a 10 pending connection limit certainly does hurt many implementations. For instance, with eDonkey. I request a file, and get say 300 sources. I'll need to contact each source and get added to the queue. Well, 300 sources * many files = LOTS of connections needed. Since many of the sources could be slow to respond (throw in high latency connections (ever use a satellite?)), or simply offline and timeout, the 10 connection limit gets hit within seconds (I have eMule set to 512 connections max, with 128 per 5 seconds).  Even the defaults are high enough to hit this silly limit.

So today I get a call saying that Outlook won't contact my email server, and after this, the have to reboot their computer to access the Internet. After a bit of chat, I figure out it's XP SP2 being “helpful”, but limiting this guy's network software. The solution? Tell him to google for a hacked TCPIP.sys that gives him unlimited connections. (I'd love to post it here, but I think it'd be a legal issue. Maybe instructions on how to patch your TCPIP.sys file would be OK... At any rate, use google. Also, Neowin had a file in their forums for unlimited connections (other patches increase it to only 50)).

Great job -- forcing average users into downloading cracked system DLLs just to get basic functionality. Oh yea, and not accomplishing anything regarding security either. Fun.

Wednesday, September 22, 2004 9:06:56 PM UTC  #    Comments [0]  |  Trackback

Amazing Text-To-Speech

A while ago a friend showed me some great TTS software online. But I couldn't fine it again. But I did find this: http://www.research.att.com/projects/tts/demo.html From AT&T research comes text-to-speech that sounds quite realistic. Go try it out (they have US English, UK English, German and French). Now if only MS would start shipping these voices instead of Microsoft Sam...

Misc. Technology
Wednesday, September 22, 2004 2:57:58 AM UTC  #    Comments [0]  |  Trackback

# Saturday, September 18, 2004
Cute VC++ editor trick

One thing that really annoys me about the VC++ editor is that when you collapse something, say a method, it eats up all the lines around it, until the next non-whitespace line. So when you look at your file collapsed, you see all declarations all together, and at least I have a problem reading that easily.

However, here's a simple trick to get around it. Throw a tab in a line. The collapsed region stops consuming when it finds a tab, and thus you can get the appearance of separation with everything collapsed. Nice.

Saturday, September 18, 2004 5:40:18 PM UTC  #    Comments [1]  |  Trackback