Ediția a doua, revăzută și completată. Ceva timp în urmă am expediat un email unui grup de prieteni dar se pare că mulți dintre voi nu l-ați primit. Din acest motiv am hotărât să-l public pe site, ca să evit lupta cu spamul. Aici am inclus mai multe descrieri și am atașat câteva fotografii.
Have you ever read an email? I bet you were about to say "yes!", but I assure you that you most likely have not.
What you've read is just what the sender wanted you to see. Emails are not delivered to your computer screen by some magical force, the process invloves various transformations that are applied to the email while it is en route. The real thing looks different, and it contains various details that indicate how the message travelled across the globe before it reached you.
I will reveal some of the details about how it works, and explain how this can be used to track anonymous messages. While the story itself is in plain English, there are some technical quirks that I'll include for the geeks in the audience; feel free to skip those and look at the pictures instead.
HCIsec is an emerging field that combines HCI with security. Basically, it is the science of figuring out how an interface influences the security of a system.
To give you a taste of what this is about, I will explain the concept of denial of service via interface modes.
I will focus on organizing a denial of service attack against a biometric lock that I happened to find nearby.
The system has a fingerprint scanner with a keypad, here's a very simplified view of how it works, many states and transitions were omitted:
- The system is idle
- Press * and do nothing - the system reverts to a default state after a timeout of about 15 seconds
- Press * and scan an unknown finger - the system indicates that the fingerprint is not recognized and reverts to a default state
- Press * and scan the finger - if the fingerprint is accepted, access is granted.
This set of rules is designed to help me stay on my path without breaking my moral standards.
The reason I need this to be written down is because when I am under pressure exerted by someone else, I can get too focused on the matter at hand and fail to take into account the long term effects of my decisions. For example, when arguing with someone, an immediate objective is to end the unpleasant conversation - so I concentrate on that. The easy thing to do is to give them what they want and get out of there. Later I realize that the shortcut taken is in conflict with my ideals.
Keeping this list at hand all the time makes it easy to remember what my priorities are, so the chance of a blunder is much smaller.
We all want to live in a world that is fair. We must realize that:
- Fairness doesn't happen automagically, it is created by people.
- If other people don't do it, you have to.
- A good time to start is right now.
- Long term consequences are still consequences. They are difficult to predict, yet that doesn't mean they won't bite you in the ass later.
- When things go wrong and you blame it on the universe or society, you must also blame yourself; unless you can honestly say "I've tried all that was in my power to prevent it".
- The good feeling of sticking to my moral standards is much more powerful than the short-termed good feeling of ending an unpleasant conversation.
If you keep all of the above in mind, you'll realize that you actually have a lot of power in your hands. If you think it is too late to make a change, think again. There's a proverb I really like: no matter how far you've gone on a wrong path, turn around now.
p.s. this list is a work in progress, please help me expand it.
I have recently created a series of video tutorials in which I explain how to create an analog of fortune and cowsay for Windows.
The software is written in Python (so it is actually cross platform), the tutorials are entry level. If you have some basic ideas about programming, you should not have problems figuring out what is going on.
My primary objective is to use it as an aid in teaching. It would be wonderful if more of my students used Python, so I hope I can point them to the videos and expose them to the beauty of the language.
There are a few analogs of fortune for Windows, but they are graphical applications that display the text in a separate window; whereas I want the messages to be shown in the console automatically.
There is also a cowsay equivalent, but I figured that since it is rather easy to make a simplified alternative of my own - I'd just use it as an excuse to create a few more screencasts.
The covered subjects:
- how to use Python's interactive mode for experiments
- analyze the HTML structure of a site and find the desired data
- how to write XPath queries to extract content
- Python lxml - how to use XPath in Python
- retrieve HTML pages with urllib
- SQLite - how to devise a simple database schema
- how to use SQLite in Python
- ASCII art, how to find images of characters and render them in Python
- find a way to integrate the the software in the Windows command line interpreter (cmd.exe)
- putting it all together and watching the system in action
Yes, if you look well enough, you can find existing versions of these programs that run on Windows. But a screencast about running two programs is not as cool as one about creating your own, right? :-)
Have fun watching and feel free to ask questions. Here's the intro (don't forget to switch to HD quality):
One of my recent challenges involves searching data in LDAP directories. After experimenting for a while, I had to test the code. The plan required setting up my own server, configuring it and populating it with some dummy data. I was not enthusiastic about it, because that would extend the scope of the experiment and take a lot of time.
But I got lucky! It turns out there are a lot of public LDAP servers that can be accessed anonymously. In a matter of minutes I was sifting through mountains of interesting data. The juicy part is that the details are tightly correlated - I don't see just emails or just names; I see the name and the email address associated with it. Depending on the directory schema, there may be other data available.
This is a great deal for spammers - email addresses are accompanied by names, and you know which country the person is from (usually derived from the c part of a dn [distinguished name]):
dn: uid=11260,cn=Berliner Volksbank e.G. CA 2004 1,o=Berliner Volksbank e.G.,c=DE
o: FIDUCIA IT AG
cn: Holger R*****
Since many directories are hosted by universities - you can also see which department the person has joined. In this example, you can also see a timestamp that tells you how fresh the data are:
dn: uid=aaa258,ou=Students,o=New York University,st=New York,c=US
cn: Alicia A Alc****ra-Hewitt
givenname: Alicia A
o: New York University
ou: Steinhardt School of Culture, Education, and Human Development
Some directories provide information about mailing lists, which include the email addresses of every subscriber:
'objectClass': ['top', 'rfc822MailGroup', 'umichExpire'],
In some cases emails are not shown, but knowing a person's name, their email address can be guessed. For example, if you know my name and the pattern for addresses in my company - firstLetterFirstName dot lastName @ company.com, you figure out what the email address is.
Phishers and spammers can exploit this - by targeting and tweaking messages such that the recipient cannot easily discern a phishy message from a real one.
Another handy aspect is that the data are stored in an "easy to use form". For example, many directories have web-based search front-ends, you can run search queries and parse the resulting HTML to extract the data. In contrast, with LDAP you just do the query and extract the data in the form of "a large, properly formatted data file" (see the example above, it was taken directly from a Python console - the emails are in a list, everything is in a dictionary).
If you think about it, you'll probably ask "But isn't this the point of a public directory?". Yes, that is what such directories are for. Unfortunately, this also exposes a lot of personal information that can be used to craft sophisticated phishing attacks.
Some directories provide phone numbers too. You can either spam these people to death with voice robots (it is easy to automate this with Asterisk), or you can rely on this information to refine your email phishing campaigns. After sending them an email, you can call - thus making the email appear legitimate. A skilled social engineer can be very persuasive.
On the bright side, there were several LDAP directories that:
- imposed limits on the number of returned search results
- denied access to some parts of the directory
- used a GUID instead of a real name (supposedly that identifier can be linked to a person in some other database)
If I ever turn to the dark side, LDAP servers would definitely be a top priority in my evil experiments.
Taking notes when reading books is very helpful, if understanding and memorizing is what you want. The more times you process an idea in your head, the likelier it is that the idea will stick to you. I developed the habit of taking photos of fragments I found interesting, such that I could get back to them later and quickly sift through the notes, instead of having to go through the whole book again.
Prior to this, I used to takes notes on paper, but that raised several problems - I use different copy-books, I don't always have them with me; paper cannot be searched, thus the notes had to be digitized. That takes time and feels like doing the same work again. I then tried to write the digital notes as I was reading - that didn't work well, as it kept me tied to computers. I found a better solution that is less advanced, but is good enough for practical purposes - photos taken with a mobile phone.
The photos are published online - anyone can comment and exchange opinions. This brings us closer to a knowledge should be free world. As a result, my friends, colleagues can get involved, and so can perfect strangers! This turns reading books turns into a social activity.
Distilling books is the process of extracting key-ideas from a large text. The trick is in compressing a 500 page book into a set of 50 pictures that can be reviewed in half an hour. If you've read the book in the past - these snapshots will help you rebuild the big picture; if you haven't - they will help you decide whether you want to read the book or not. For an uber-lazy person, the distilled notes can serve as a replacement for the real thing (lossy compression is better than nothing).
The tools I rely on:
- Skitch for Android lets me take a photo, crop it and highlight the passages I'm interested in;
- Facebook for Android lets me publish photos directly from my mobile. I set the album properties to 100% public, so anyone can view them;
- Prior to becoming an Android owner, I took photos with a digital camera and edited them with GIMP or Paint.NET, depending on which computer was closer to me. This is very flexible, but it cannot be done "on the fly" (i.e. while I read), thus some photos were not posted because they got "lost in space". Doing everything on the mobile phone makes the process much smoother and "lazy-proof".
Here's a list of books that have been distilled so far:
- Punished by rewards by Alfie Kohn - a book about motivation and rewards in schools, at work or at home. As the title says, rewards are actually punishments, they can seriously undermine one's performance; this applies to children and adults. The book mentions a lot of experiments, there is plenty of evidence.
- The most human human by Brian Christian - you think you think? Think again! The author analyzes different aspects of the Turing test and delves into many related fields. The book has a lot of interesting examples, excerpts from Turing test conversations, references to historical events and old philosophers. There are plenty of jokes too.
- Intimate relationships and A general theory of love - two books focused on human relationships: mother-child, romantic relationships, friendship, sexuality. This is a scientific book, with charts and references to statistical data.
All new books will be added to the "book distillery" section of this site. I will be very happy to extend this list with your contributions, please keep in mind that:
- the photos must be public, you can post them anywhere, as long as anyone can view them without having to sign up;
- the photos must be of a decent quality, the text must be sharp and readable.
If you're a fan of Worms, the classic game, you are probably asking yourself how to play it on a modern system. An easy solution exists, I will summarize the key-points that steered me into the right direction.
Worms Armageddon is the latest version that is still being updated. I thought it was Worms World Party (it was released ~2 years after Armageddon), that's why I kept tinkering with it, to no avail. After some digging, I got in touch with one of the game's maintainers (CyberShadow, who happens to be a guy from Moldova). He confirmed that:
- Armageddon is the latest version.
- It runs properly on 64-bit Windows 7.
- World Party is outdated, no need to bother with it.
- You have to apply the latest updates to actually make it work; here's a changelog.
As a result of these operations, it works on my computers (Win7 x64 and Linux):
- With an on-board Intel graphics card, while online forums are filled with "Intel card - no luck" comments.
- There is no need to kill explorer.exe or employ any other form of voodoo magic.
- It works with resolutions above 1024x768, including exotic ones - such as my laptop's 1400x1050.
- It also works on everything else (Vista, Windows 7 32-bit, XP, etc).
- It also works smoothly on Linux under WINE (verified on Linux Mint 11, x86).
- My only complaint is that it requires admin rights, but I can live with that.
- Buy the game on Amazon.
- A no-cd patch can be found on Gamecopyworld, to increase convenience.
- Worms Wiki - the place to learn about neat tricks that can be applied in the game.
If you know my whereabouts, I happen to have an archive that has all of the above in it, just unzip and run the EXE.
Let the battles begin!
Disclaimer: I am not a lawyer, I wrote this for personal reference. If you find some inconsistencies or incorrect statements, please let me know - I'll apply the corrections.
This article provides short, plain English descriptions of different open source license types, so you can rely on it when deciding whether a component is suitable for use in your commercial program, or which license to use for your products.
It is opimized for shortness and for being clear to non-experts.
Beer vs freedom
Free as in "beer" vs free as in "freedom" - you must've seen this a zillion times all over the web:
- Beer - when a person says something is "free", they usually mean the cost is zero
- Freedom - in the world of open source software, "free" means that you have the freedom to review and create derivative works. This is about liberty, not about money.
- In fact, open source software can be sold for money, no one prohibits that. However, you must provide the source code too.
- FLOSS - free/libre open source software - this means that you can see the code and you get the freedoms too
- "Open source" doesn't always imply "libre" (i.e. free as in "freedom"). For example, a piece of code can be open source, but it may be an implementation of a patented algorithm, so you really can't use it unless you pay royalties to someone.
Although it feels like meat grinders have been around since the beginning of time, they are a relatively new toy. The first one was built in the 19th century, by Karl Drais; the same guy who created the velocipede - a proto-bicycle.
Every time I have to use one of these, I am facing the meat grinder's dilemma. In plain English:
Which way does the knife go in?
Aaaaah! You've been there too, haven't you?