Andrew Breese

Musings of a professional geek

Category Archives: Software and Development

Blockchain and Bitcoin Humble Bundle

The current Humble Bunddle is all about Bitcoin and Blockchain – two topics which are well understood in technical circles, but not well understood in many others. Like the post on Crypto and Cybersecurity with the Humble Bundle, I think this is worth seriously considering. At the $8 level it is good value and handy to have a handful of electronic textbooks. I’m no expert, but I plan to at least validate what I think I know against useful sources. Happy reading.

Advertisements

Sync Calendars between Lotus Notes, Outlook, and Google

For a while now I’ve been trying to sync my various work calendars, which run on three separate disconnected platforms: Lotus Notes (my current site), Outlook365 (my office), and Google (personal and phone). After trying an open source solution InGoogleCalSync which did half of what I wanted, I found a paid service called AweSync which is darn good – and worth talking about.

Essentially AweSync allows the calendar entries to be sync’ed both ways between Google’s calendar and Lotus Notes. It also syncs tasks and contacts, but I’ve not turned on that feature. The app is clever enough to understand that I have multiple Google calendars, and manage changes between them. The open source app was limited to one-way push, and events could not be edited in both places reliably, but AweSync handles this.

The Outlook calendar sync comes from the boilerplate MS Exchange config on the iPhone which supports contacts, tasks, events, etc. This means that events from my company are two-way sync’ed between Outlook and Google in one calendar, and events from my work site are sync’ed from  Lotus Notes to Google in another, and my third Google calendar is for personal information. I can see all these three sub-calendars now in Lotus notes, can tell by colour which is which, and also see an exact match on my mobile phone. Just like it should be when we try to have a central place to manage meetings and appointments – this small app and the darn large behemoth called Google have provided what I needed.

Awesync was a mongrel to setup due to the locked down permissions on my site computer, which essentially needed to be opened up so that it could run properly. The Support team from Awesync were wonderful, and it was their diligence in assisting me that really helped me decide to purchase it (USD$20).

So I still absolutely loathe Lotus Notes as an email and calendar application, but at least I can now manage my appointments properly.

Thwarting hackers with “honey encryption”?

A Boston Globe blog reported that a trickier approach to dealing with hackers might be a better approach. Essentially make the data messy and it will not be as desirable. It certainly sounds interesting as a concept. Brainiac wrote “rather than trying to block hackers, maybe it’s better to distract them.”

The approach is built into a new piece of software called Honey Encryption, created by Ari Juels and Thomas Ristenpart, and it works on a simple model. After hackers steal a trove of encrypted data, they hunker down to crack the code. It can take them thousands of tries before they’re able to guess the right cryptographic key, and Honey Encyyption makes them pay for each failed attempt.

Each time hackers enter the wrong password, Honey Encryption adds a piece of fake data to the dataset—by the time hackers finally get access to the data, it’s swimming with so many fake credit card numbers, for example, they’ll have no idea which ones are real.

Pardon? I think the readers might be missing a key aspect of the information here. This is a very specific circumstance and very unlikely frequency where this is plausible.

For this approach to work the “honey encryption” software needs to be running with the stolen data-set.  In fact it is unlikely that the data would be stolen at all, rather it is being attacked on it’s normal infrastructure. Frequently when data is stolen the database itself is extracted on mass; the encryption used on the information in the database is broken later. A hacker is not going to willingly run an application which does Honey Encryption on the data they are trying to hack. Is the assumption that the software for accessing the encrypted data is somehow packaged with the data in the DB? Huh? No! This means that for the times where the hack attempt is happening on the system live this approach might work, but otherwise it does not apply.

The same software could also alert very quickly to the admin teams that a potential attack is in progress too. This is the approach taken with the “honey words” concept, where a dataset is setup with a number of “deliberately bad” datasets for each user account so that when the hacker tries to decrypt the data an alert or action is triggered. That makes a heap of sense.

So this approach adds junk data into a live system to increase the ratio of bad data to good data for when it gets stolen? Yes, and as long as the good data is not altered by the “honey” then the end user is not affected, but the system owners can know of a potential exposure. Interesting.

Refs:

How to almost sync with BitCasa mirrors

BitCasa is a free cloud backup tool, which has a basic mirroring function for files that you want to be automatically backed up into the cloud instead of scheduling a backup. I was looking for a replacement for SugarSync’s folder synchronisation feature, and BitCasa’s functions are close but not really there yet. It seems that they have a beta app which is based upon bittorrent, but again not for a live sync.

Aside – the BitCasa cloud solution is pretty neat. I’m impressed by what they offer and their price point. The paradigm that it uses is not an attached storage volume really, but more like an external drive which happens to be on a remote server. That drive is almost read-only to your machine, and certainly read only from any other machine that tries to access the files. It is cloud backup, not a sync service.

This is the scenario:

Initial setup was a folder on my laptop and desktop were set to always be kept in sync. This meant that files were always kept in reasonable sync, and I didn’t have to worry about manual copying or a scheduled copy which I might forget.

Now what I have is a folder on each location which are both copied up into BitCasa’s servers (yes, up into that fluffy white cloud of absolute trust). The difference is that each machine is used for slightly different things, so that what I do on the laptop generally isn’t used on the desktop. The sync is for emergencies, so it might work.

The trouble is that each machine uploads the selected mirrored folder into a separate space in that cloud, and the two areas are never sync’ed together. I’d love them to, but for the purposes of having my files backed up somewhere, this is enough.

When it comes to wanting to use one of the files which is on the other machine’s backup it needs to be copied back down to the new machine and stored. Just like an offsite solution, you don’t go editing the back-up tape. Now that I get the mindset, I don’t mind so much. If something exceptional happens in the file-sync space I’ll probably post it here, but till then BitCasa will get a bit of playing around.

Happy backups.

SugarSync goes paid only, darn it

SugarSync has cancelled their free offering, in a similar time frame to LogMeIn. Like LogMeIn the product itself was solid, and it was tempting to pickup a paid service for SugarSync. Unlike LogMeIn though the SugarSync people actually gave a fair warning for the product going to paid only, and offered a humungous discount for the people who are singing up. I reviewed and recommended SugarSync in Feb 2011 and liked their product all this time. Unfortunately the reason I use it is not something that allows me to generate extra income, so it is harder to justify signing up for.

The free equivalent I’ve started trialing is BitCasa. They offer the same sync-a-folder option between two computers which was the key feature I liked. BitCasa offers a staggered set of storage options, including an unlimited one, which I’d be tempted to see really how “unlimited” it was, given that these things usually have some sort of cap written into the fine print.

I’ll write up the impressions of BitCasa shortly. Secretly I’m hoping I can get a few folk on it too, and up my default free storage.

Goodbye LogMeIn, maybe Chrome can help?

LogMeIn are stopping their free product dead, effective now. As a user of the free version I’m affected, was unaware it was coming, but I’m not surprised. There are snarky posts and comments starting up all over, but on this choice I kind of agree with LogMeIn.

They’ve given away a reasonable product for free to a very large user base for around 10 years, and now they wish to be paid. There is a kind of grace period for the cutoff too, but that grace period is very short so won’t do much to dissuade the “freeloading” masses. As a freeloader I say meh. My usage was low and irregular enough that I’ll not be paying for the service, and that also means I am certainly not the type of user that LogMeIn wishes to continue to support for free. I’ve had a great run and it is time to cash up or leave.

It is a pity that the base cost is very high.  Superficially I think there is a lost opportunity for a pay-for-use option between the full yearly subscription and nothing. If it were more like a cup of coffee to use, and could be billed adhoc I’d give that some serious thought.

logmein-gone

SO yeah – the “important changes” are that its no longer there. Surprise. I’m uninstalling as I type.

As an alternative I’m first going to look at what Google Chrome Remote Desktop can do, and perhaps even think about a VNC type solution. And there is also TeamViewer which a lot of the LMI ex-users are talking about.

The regular rate of subscription is discounted for now, perhaps as a gesture of encouragement.

They’ve not really informed anyone in advance, and perhaps that was the strategy. There was never going to be a good reaction from the free users on taking away the product. So perhaps they cut them off quickly in the hope that their need for the product is urgent enough that they are kind of forced to pay for the product even if it is just until they get a replacement. But then the subscription is annual, so they’re locking in for a while.

Programming Satire

[Language Warning, sensitive folk will not like the words which follow…*]

While flipping through SlashDot I found a link to Programming-Motherfucker, a satirical manifesto for coders.

Programming, motherfucker!

Programming, motherfucker! (Photo credit: d0mix)

Initially I thought it was clever in a snarky “vent their frustration” kind of way. Dev folks frequently get frustrated and seeing something like this might help them keep calm and carry on.

Then I got to reading the site and it is actually be useful. At the moment it derides and talks down the tasks peripheral tasks to the coding, which is kind of a shitty approach but given the target market for developer snarkiness it is acceptable. Preaching to the converted is always easier. That said, by also providing guidance (i.e. not a manifesto, but a link list) for how to code better there is real material to be found within the questionable wrapper.

So as satire, its a good 5 second gag and might realise some value to vent frustration. As a manifesto it is not so much.

If you are a frustrated dev (or a closet try-hard frustrated dev like me) then it might be worth a laugh.

If you are looking for a jump point on how to start learning to code a language from the perspective of a developer, then this is an excellent start. My advice is to totally ignore the blunt manifesto aspect of the site and seriously look into he links and the associated technologies. There are some cool things hiding in there.

* perhaps having a warning of strong language on my blog is a little late or silly, but I can still see the trees in the forest of internet language, and sometimes it is better to say upfront that the blog content will be harsh. Especially if somebody actually click the links.

More Random Thoughts on Random

The mighty SlashDot has a post about the Random Number Generators that come supplied with the Linux OS may not be random enough, or specifically may not emulate entropy well enough*. As I find RNG in programming to be darn interesting (also know as PRNG – pseudorandom number generation, because you know it can never be really truly random) I’m sharing it here so I can ponder it and thrash it out.

As a fan of this stuff the /. post page is wonderful. Arguments back and forth, supposition and analysis on the arguments and allegedly brutal attacks between Linus and the community, and the fall out when cooler heads prevail. It is a great example of the online debate that happens around the open source community, where we can actually read for ourselves and appreciate the breadth of the impacts and discussion. The impacts from the choices made in the development of  RdRand, vs /dev/random and /dev/urandom are very important within the scope of PRNG, but they are also a very small part of the overall Linux kernel, such that the scope of change and the community based observations can be consumed.

I love it for the fact that it is a debate amongst a niche community (relative to the Internet) where passions drive separate and disparate goals. Here is a bit of info and a quick meandering.

As the header in the SlashDot article quotes from the source article:

“As a followup to Linus’s opinion about people skeptical of the Linux random number generator, a new paper analyzes the robustness of /dev/urandom and /dev/random . From the paper: ‘From a practical side, we also give a precise assessment of the security of the two Linux PRNGs, /dev/random and /dev/urandom. In particular, we show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly.

These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs. These attacks against the Linux PRNG show that it does not satisfy the “robustness” notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice.'”

It is ponderous to think of how random and how entropic a PRND process has to be when shipped with an OS. I can follow that the best possible solution should ideally be used, but can also see a point at which the degree of randomness/entropy desired is provided by a range of tools; and perhaps for most installations that vulnerability in the RNG’s breadth of entropy is actually fine. Meaning – how random does a media box for a TV need to be? I’d start the analysis with a purpose in mind to keep to the best of the communities use for the OS, and consider the edge case where a specialised implementation might be performed anyway, which renders the default delivered in the OS package somewhat moot.

i.e. A server running primarily as a file server, or providing innocuous functions probably needs very little in advanced RNG as it has very little Crypto base tasks to perform. Sure there might be a few impacts which are less than perfect around the edges, but not many. Conversely a system which is being depended on for very high security functions or transactions does not want a vulnerability which could be exploited, or a value which could predicted.

If the default OS packages have a security flaw inherent rather than a point of vulnerability in their implementation then that is fixable. The debate and banter really got into high gear in the comments when the specialists joined the discussions.

The debate also breached the possibility of some of these tools for randomness having vulnerabilities which were either exploited by, or designed by the American NSA. Respectfully it is an discussion that I find distracting at best. If the community can not find over time the vulnerabilities in the code, be they either intentional or not, then the experiment has failed. In truth so far, the experiment is working. At least from where I am sitting looking at the body of work for Linux, and all the derivations.

Firstly, what in hell does the entropy have to do with the random numbers in a program?

If I understand it (which is questionable) then the entropy as in use by an algorithm needs to be sourced so that it is not predictable. This is not “entropy” meaning “decay”, this is “entropy” meaning “unpredictable”.

How random does a program’s RNG need to be?

For me, a 1 in 1000 generated number range being guessed correctly 1 in 200 times shows a problem. That is not a huge problem if app itself is just a toy, but in a commercial product I think that can be considered undesirable. This is the range of random that one of the default tools in the Linux distro potentially could create if an attack was performed and it was not setup correctly. I think that is a narrow attack probability, but it is there.

Like everything else in IT, the context of use is really critical to how severe the impact is, and how much work is invested to getting to a better result.

i.e. N 1 to 1000 can be correctly guessed roughly every 200 attempts – that is poor. I guess that 1 in 200 is really low by layman’s standards, but exceedingly high by crypto and pRNG standards.

A chance of guessing a 1 in 1000 number being 1 in 1000 is obviously darn reasonable, and not an issue at all. Another part of the setup which can sometimes be performed incorrectly (especially in Windows based apps using the default RNG functions) is when the app is not seeded properly.

I found this a long time ago when writing a simple dice roller program where my seed value was going through a small algorithm, but about a third of the time the result was the same. This meant that it was likely (1 in 4) that the app would have the same result for the first “random” number. Not sufficiently random at all. My implementation in this case was the problem, which I fixed, but it did get me thinking about how better to do it.

I’m still pondering and reading. Read more of this post

Instapaper, a darn handy reading app

Image representing Instapaper as depicted in C...

Laura put me onto a darn handy app for bookmarking and reading content, especially when I find something that I want to read later. Instapaper. You mark content using a widget in the browser, or (I think) send yourself notes, and then the app downloads them locally.

This way I can keep a small smattering of scintillating summaries, and devour them at my pleasure. iPhone and web versions, with all sorts of goodies that I’m still finding. Thanks Laura.

I’m a fan of Unsubscribe Now

I’m a fan of useful and clear functions, especially in marketing campaign emails. As such here is a quick rant about how to facilitate Unsubscribe in email marketing.

In short – I love it when an email message contains single click Unsubscribe. Even better when it also contains options to change my preferences without remembering passwords, logins, or asking me to jump through hoops.

A single click unsubscribe is fast when you want to use it, makes it clear that the organisation is (likely) thinking about the user when they send the email, and it provokes a reaction in me where I am likely to stay on that mailing list because I know I can quit at any time.

Conversely I have an option in my email program (gmail) that offers me the choice when a company does not – its called the MARK AS SPAM button. Click, and you’re gone. Forever.

Let the email marketeers ponder which they’d prefer. My choice is easy.

ps. thanks to the fine folks at 10collective who do this well in their email communications. Their mesage prompted this mini-post, so they deserve a back-link as credit.

%d bloggers like this: