A Day in the Life Tuesday, 27 August 2013  
Sometimes, I wander what to do with myself. Everything goes extremely quiet. Then everything gets busy again.

DTrace: is like a gentle toothache. All is quiet. Linus releases a new kernel, and "here we go again", having to make changes or respond to user queries - a flurry of activity in a few days then all quiet for a while.

CRiSP: goes quiet. Then people ask for things - like a version for the Beagleboard (which is the same as the RaspberryPi build).

fcterm: all quiet for months/years. Then an ARM port of fcterm is requested.

All very strange - sometimes these support requests are a way of knowing who has just returned to work after the term starts or holiday period ends.

All very interesting in a strange kind of way.


Posted at 23:01:47 by fox | Permalink
  Captchas Monday, 05 August 2013  
Was reading the article at Slashdot regarding "Captchas" and the campaign to kill them off. I support this in the sense that its darn annoying to be faced with captchas which defy the ability for a human to read them. It has the right effect of hurting people and not denying the bad guys.

Someone proposed some form of randomisation of the fields - but any form of "this is clever" is met with "but this is simple(r)" to crack by the bad guys.

If you randomize the field names, you have added zero complexity to a script write who just needs to parse the javascript to find the field names. If you randomize the javascript, you have added a tiny amount of complexity to parse the javascript and figure out the algorithm which does the randomization of the javascript. "genetic" or "mutation" programming - both of which have existed for many decades. Such mutations used to be (still are?) in fingerprinting executable code to detect who/how/where the code was stolen from. (This is mostly non-existant these days - encrypting code, as most apps are freely downloadable and either rely on an app store approach to downloading or contact with a remote server to approve the use/purchase).

Its a hard problem to solve - if it was easy, it would be done. For every "easy" solution the bad guys can get in. Conversely, if you make it hugely difficult for the bad guys you have hurt the good guys too.

For example, "fingerprinting" was at one time considered the ideal solution for securing devices. If you have watched many films, the "sticky tape copy of a fingerprint" is used to fool the device. That may not work in real life, but ... what is a fingerprint? To such a device a fingerprint is an "image" which causes some internal number to be generated. Generate the same "number" and you are in. So, now the problem distils into not having a duplicate fingerprint, but having a fingerprint which is isomorphic to the one you want. (I overly simplify and I may be wrong, but thats the line of thinking). Even if I am wrong, and each fingerprint is uniquely matched, what happens when you lose a finger in an accident? You have lost access to the records stored in that system. (Hey! Not to worry, since likely the records were stolen by an SQL injection attack or XSS error anyhow!)

Heres a problem (and I dont have the answer): How do you hide an elephant in your house? (This is the kind of problem which bad guys need to solve all the time). (I can think of a few bad answers, but put a million bucks under the elephant, and someone will find a way to move the elephant and uncover your money).

Solving security problems whilst sitting on a sofa is soooo easy :-) In real life...not so.


Posted at 22:28:23 by fox | Permalink