Thursday, November 19

On Predictability

I've been thinking a bit lately, and I've come up with this maxim:

Anything predictable is exploitable.

I'm going to confine this to network traffic at this point, since it's the only application for which I've given this much thought, but I'm willing to bet that it holds true in other areas as well.

Keep in mind that exploitability is not, in itself, a bad thing. A Web browser predicts that an http:// server is running on port 80 and exploits that. With that assumption, most people won't have to know what the previous sentence even means. Sometimes you run across sites where you have to enter "" in your address bar for servers that aren't using port 80 for Web traffic, but the ability to assume and predict a standard port is good.

On the other hand, exploitation can be bad. In old TCP stacks, the sequence numbers always started with 1 and incremented from there. This ability to predict traffic and forge legitimate responses can allow malicious machines to hijack sessions through what's called a "man-in-the-middle attack." More modern implementations of TCP/IP start the sequence number randomly; this prevents prediction and exploitation.

There are many steps in a chain at which predictability can lead to exploitability when it comes to network security, and not all of them are even technological. Take, for instance, the predictability that some percentage of users will click the link in a spam email message. Given that mass amounts of email can be sent at virtually no charge, and there is always some small percentage that will respond positively, there is still a return on investment that makes spam campaigns profitable. [0]

The same thing applies to cryptography. The only way to have a message encrypted well enough in transit to prevent decryption is to create ciphertext that is as close to pattern-free true randomness as possible. If there's any way to detect patterns, and therefore create predictability, exploitation will soon follow.

I can go on, but I think I'll stop here for now. I think, however, that the ability for prediction to beget exploitation is the driving force behind security these days (not limited to computer security). For instance, it's the regulated unpredictability of financial systems like the stock market that keeps people from reliably exploiting them for their own gain!

I might have more thoughts later, but I just wanted to put this out there while it was on my mind.

[0] "Spamalytics: An Empirical Analysis of Spam Marketing Conversion." Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, and Stefan Savage. Communications of the Association for Computing Machinery 52(9):99-107, September 2009.

Tuesday, November 17


This is an awesome quote from one of my favorite tech columnists. It's the final line in the linked article.

Remember that to Google, the millions of people who use the Internet are like one big immense sofa with thousands of cushions. It’s always rummaging through our user experiences and finding loose change that we never knew we lost and never miss once it’s been taken.

Friday, August 7

Pull Quoting

“Conservative activists don’t want to have a conversation,” said Jennifer Crider, a spokeswoman for the Democratic Congressional Campaign Committee. “They want to disrupt.”

Hm... that sounds familiar. Maybe a bit like the liberal activists while Republicans were in power?

Can somebody actually have a conversation sometime, please?

Health Plan Opponents Make Voices Heard -

Friday, July 3

iPhone 3.0 (3GS) Voice Control problems

OK, so I really like the new iPhone. However, its Voice Control feature is really not up to snuff.

Firstly, if I want to dial the phone by voice, I have to take the phone out of my pocket and speak into it—even if I've got a Bluetooth headset connected. My old RAZR let me voice dial into the headset by pressing the button; why won't the iPhone? The headset button just makes the iPhone redial your last outgoing number, and only if you hold it down for a couple of seconds.

Secondly, if I have a playlist containing only podcast episodes, Voice Control won't play it. Apparently Voice Control will only play songs for some reason. I've got multiple podcast playlists (one for the short daily ones that I want to listen to first, and another for the other longer ones that come out less frequently), so when I want to switch between them I have to glance down at the screen.

Thirdly, and probably most important to me, there's no way to use Voice Control to start a playlist in shuffle mode—which, once my podcasts are finished, is exactly what I want to do. I have to start a playlist, then separately issue a "shuffle" voice command or shake the phone (if 'shake to shuffle' is enabled). While this could a serviceable enough option, it adds one to the Skip Count of the first item in the playlist! I haven't skipped the song; I just wanted to start the playlist in shuffle mode. This throws off my smart playlists, some of which use Skip Count and Last Skipped Time to determine which songs should be included.

The worst part of this two-steps-to-shuffle bit, however, is how long it takes—especially while I'm driving the car. I should be able to issue a single voice command, not go through the whole rigmarole twice just to end up how I want it. Not to mention that it takes nearly 3 seconds of holding the button down just to start Voice Control each time, and then it may or may not understand my command properly the first time anyway.

Actually, in the process of writing this post, I discovered way to get a playlist going in shuffle mode without incrementing any songs' Skip Counts, but it takes three steps! First, issue the Voice command "shuffle", then it says "no music is playing; do you want to play music now?" So then you have to wait for the beep and say "yes," which starts playing your whole library in shuffle mode. Then you can start Voice Control again and tell it to play a particular playlist, which will then start in shuffle mode.

Apple, please think of the people who are using your products in the car! Make it simple to place calls and initiate shuffled playlists without looking at the device! There's a "shuffle" button at the top of every playlist in the visual interface; shouldn't that be an option in the spoken interface as well?

I realize that, at iPhone OS 3.0's introduction, they said that Voice Control wasn't totally complete. However, its inclusion at all was one of the big things that convinced me to finally get one, so I'm a bit disappointed that it was added on without the usual polish of most Apple products.

Wednesday, May 27

Hudzee - Hard Drive storage

I just found out about a new hard drive storage case which is actually pretty neat. Most technology enthusiasts and computer professionals have at least a few hard drives just sitting around, full of old data which we're not quite willing to discard just yet. Or maybe it's a new drive you just picked up cheap at a swap meet or rummage sale.

Sure, you can put these bare drives into anti-static bags, but that can get clumsy. It's hard to store a bunch of bagged drives, and it's even harder to figure out what's on each one.

The Hudzee helps you safely store and organize your drives. It's a plastic case with a bit of padding on the inside to keep the drive's delicate components from getting scuffed or scratched. For anyone who regularly deals with hard drives—whether it's storing spares in case of failure, archiving old data, or for transporting large amounts of data via "sneakernet"—these cases are very cool.

I recently ordered a few, and I'm really impressed with how well the drive mechanisms are protected. They're cushioned, but still given plenty of room inside the case to breathe. There's also a window on the outside of the case for labeling, so you can remind yourself of the drive's contents or purpose when it's sitting on the shelf.

I definitely recommend the Hudzee drive case. It's an easy way to keep your data protected, secure, and easy to organize.

$8 each ($65 for 10).

HUDZEE - Keep Your Internal Drives Under Control
(via The Adventures of Systems Boy!)

Sunday, April 19

Today's FoxTrot

Bill Amend quit doing FoxTrot comics on weekdays, but he still draws them for Sundays. Once again, it's a puzzle, and today's was pretty fun. I figured out all of the letters in my head, though two of them I solved by inference and not mathematically (I seriously can't remember how to do differentials, and I didn't bother with the three-digit divisor).

Fox Trot —

Thursday, April 9

My (brief) adventures with AppleTV

So I bought an AppleTV yesterday. I had been advised against it by two different people, especially since my primary intended use was going to be for playing videos from Hulu through the Boxee plugin. I'd been told that the Flash video playback on the device was no good, and both of the people to whom I spoke had either uninstalled Boxee or gotten rid of the device altogether.

However, I'm stubborn, and I figured my standards couldn't be too demanding. Hulu on my iMac looks awesome, even through Boxee, so how much worse could the AppleTV be? I still watch cable and DVDs through the coaxial input on my TV, after all! Also, my TV is a 4:3 CRT, and I haven't even been exposed to the fancy-schmancy High Definition stuff that's all the rave these days. I just wanted to see it for myself, so I went to the Apple Store after work yesterday and picked up a 40GB ATV.

I thought that my set, with its HD component video inputs, was capable of displaying 720p HD— but apparently it isn't. I had to settle for standard-def 480i output from the device, which was the first disappointment of the evening. I set the machine to sync with my iMac's iTunes library, then I sat down to eat dinner with my wife (who was finally discharged from the hospital yesterday! hopefully she stays well for a while this time).

After I finished cleaning up from dinner and loading the dishwasher, all of the lights in the house suddenly turned off. They flickered back on briefly, but soon the house was dark. Thankfully, it wasn't yet 7pm, and Daylight Saving Time meant that there was still enough light coming through the windows that we weren't entirely enshrouded. My AppleTV adventure was cut short, though. I turned on my (battery-powered) EeePC in order to look online for the power company's phone number, only to realize that the outage had also turned off my modem and router. I ended up using Google's 800-GOOG-411 service to get ahold of them anyway, and was told that it was a known outage that should be resolved by 7:46pm.

Around 7:30, the lights came back on. I turned the AppleTV back on and resumed the iTunes sync. I let the AppleTV play the latest episode of the FLOSS Weekly podcast while it finished syncing and I surfed the Web on my netbook. This was the best use of the device I'd had yet... the ability to listen to podcasts & surf the Web while downstairs in the living room and not holed up in front of the iMac in my home office.

After the sync was finished, the AppleTV wanted to update itself to the latest Apple firmware, which I allowed it to do. Then I created the USB patchstick with my SanDisk thumb drive so I could hack the box and install Boxee. It installed and ran just fine, so I fired up Hulu. The video there was incredibly choppy. It got better when I turned off the 480p high-resolution stream in my Hulu account and restarted the stream of Monday's episode of Chuck, but it still wasn't smooth. This was very frustrating, and the Boxee CBS player had the same problem. Oddly, the Comedy Central player was better, but still not great.

Boxee was awesome when I set it up to play video files over the network from my Mac. I had a House episode I'd downloaded recently since my cable box's DVR cut off the end of the show, and the XviD file played great streaming through Boxee.

However, my main attempted use for the AppleTV was going to be a replacement for cable, watching all the shows I like with Hulu and through Apple's iTunes Store. I wanted to make sure I got all my video legitimately, through paid or ad-supported Internet means, and not have to resort to downloading all my shows from the shadier corners of the Internet. Since Hulu wasn't satisfactory as a cable replacement (and Big Bang Theory doesn't have any legal Internet distribution, anyway), I restored the device to its factory settings and put it back in the box to return it to the Apple Store.

It made for an enjoyable evening of hacking around (I even enabled ssh access to the AppleTV, which was pretty fun just for the hack value), but it's just not viable as a replacement for cable. I'll probably need a full-scale Mac mini for that, but if I'm going to run full-on OS X I don't want to be using a CRT with overscan, anyway. I'll wait until I can afford both a mini and a new flat-panel TV with HDMI input, which probably won't be for a while.

Tuesday, March 17

Apple's new anouncement

First off... this is probably the very first Apple announcement in at least four years that I didn't know about in advance. Seriously, the first time I heard about Tuesday's press event was in the NYT article linked below. I feel this is my first step toward becoming a "cranky geek."

In any case, I've finally been thinking more about getting an iPhone, and this new wave of features (and the speculated cheaper new hardware in the summer) is making it ever more attractive.

The oddest thing to me about this report, though, is the description of their new "pay for program enhancements" feature in the App Store. When I read this, my first reaction was to think, "Cool! People can now offer free trial apps and then charge for an upgrade to the full version, like Mac apps have done for years!" However, they've explicitly stated that any app offered originally for free can't have any paid add-ons, so this model won't be available. If developers want to offer trial software, they'll still have to put separate free and paid apps into the Store.

I also hear that they're upgrading the synchronization of personal information from the Internet to the device in the form of direct CalDAV support. Sounds cool; I'm officially considering this seriously now.

Apple Shows Off Next Version of iPhone Software - Bits Blog -

Friday, February 27

Geek Code update

Well, I haven't updated my Geek Code in about 18 months, so I was due for a refresh. Of course, everything is horribly dated since the code itself was last updated in 1996, but here's where I am today:

Version: 3.12
GIT/MU d+() s:+>: a->+++ C++> ULXB++++$ L++ M++ w--() !O !V P++ E--- W++ N
o++ K? PS PE+ Y+ PGP- t !5 X- R tv+ b++ DI++ D--- G++ e*++ h--- r+++ y+++?

(my geek code decoded)

Saturday, February 7

That "25 Random Things" meme

I don't think I've been "tagged" yet to do a "25 Random Things About Me" list on Facebook, but I've seen a number of them. While I think it's an interesting idea, I dread getting into it since it would probably become a big multi-day project that I'd spend endless hours tinkering with and refining, and then agonizing over the finality of hitting the "Post" button.

The following article from the New York Times takes a sardonic look at the whole phenomenon, and until I get around to writing such a list (if I ever do), please consider Amy Harmon's "generic" contribution to be my own.

25 Random Tips for the Busy Facebook User - The Lede Blog -

Friday, January 30

Val Kilmer to be... blah, blah, blah

I don't care so much about this article itself; I focused more on the accompanying photograph. Is that seriously the guy who played The Saint? I know that was 12 years ago, but he seems to have aged nearly twice that.

Kilmer to be king of Bacchus in New Orleans parade - Yahoo! News

Monday, January 12

Today's xkcd

Sledding Discussion

With a reference to Calvin & Hobbes... fantastic!

Thursday, January 8

Windows is officially irrelevant

In a NYT piece this morning, Microsoft CEO Steve Ballmer argues that the upcoming "Windows 7" will be important. However, this paragraph from the article just made me laugh:

He added, however, that Windows 7 should not have the same sort of problems with compatibility with devices and programs that Vista did. While some of underlying architecture of Vista changed from earlier versions of Windows, Windows 7 is built on Vista’s underlying structure.

That means that users upgrading from Vista to Windows 7 won't experience any problems. However, anyone that didn't upgrade to Vista because of the compatibility problems will still face the exact same roadblocks if they try to use Windows 7.

He's assuming that all his customers are using the latest version and just might just have had some problems getting it to work. But in my lab, I still have all the workstations running Windows XP. I was hoping the next version of Windows would respond to criticism from the cautious and provide a cleaner upgrade path from XP, but based on this report of Ballmer's CES keynote I'm no longer optimistic.

Thankfully, our use of XP is just a fallback measure for a few pieces of software that aren't cross-platform; Linux is our main operating system and will continue to be for the foreseeable future.

Ballmer: Windows Is Still Relevant - Bits Blog -

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. Permissions beyond the scope of this license may be available by emailing the author (use the link above).

The Geek Code desperately needs updating, but in any case here's mine (as of 2010-02-28):

Version: 3.12
GIT/MU d+(-) s:+>: a C++> ULXB++++$ L+++ M++ w--() !O !V P+ E---
W+++ N o++ K? PS PE++ Y+ PGP t !5 X- R- tv+@ b++ DI++++ D--- e*++
h--- r+++ y+++ G+

If you really care about knowing what that all means, you either know the code already, or you can get it decoded for you here.