taint.org: Justin Mason’s Weblog

TiVo Co-Opts Anti-Spam Terminology

September 15, 2005 at 5:33 pm

This is pathetic. As noted in the link-blog a couple of days ago (as well as everywhere else), TiVo’s new DRM features have been spotted ‘in the wild’, protecting the valuable Intellectual Property that is Family Guy and Simpsons reruns.

The icing on the cake is that TiVo have come up with a hilarious hand-wavy explanation — apparently it was line noise. Marc Hedlund of O’Reilly and Cory Doctorow are having none of it, and rightly so; as a bonus, Cory asked a group of DRM experts, who ‘burst into positive howls of disbelief’ that line noise could corrupt the DRM bits and the corresponding checksums to match.

From my angle, though, there’s another noteworthy factor:

“During the test process, we came across people who had false positives because of noisy analog signals. We actually delayed development (of the new TiVo software) to address those false positives.” (– Jim Denney, director of product marketing for TiVo)

Interesting use of the term ‘false positive’ there. Sounds more like a good old-fashioned bug if you ask me ;)

Anyway, I’m glad I went for the home-built option. It was pretty obvious that TiVo are in the cross-hairs, and their product is only going to get worse as the DRM industry push harder…

Tags: cory, couple, drm, family, intellectual, line, noise, product, property, tivo

# Comments

Stupid ‘Ph’ Neologisms Considered Harmful

August 6, 2005 at 12:21 am

Words: ‘Pharming’. I recently came across this line in a discussion document:

‘Wait, isn’t this exactly the kind of attack pharmers mount?’

I was under the impression that ‘pharming’ was a transgenics term: ‘In pharming, … genetically modified (transgenic) animals are
mostly used to make human proteins that have medicinal value. The protein encoded by the transgene is secreted into the animal’s milk, eggs or blood, and then collected and purified. Livestock such as cattle, sheep, goats, chickens, rabbits and pigs have already been modified in this way to produce several useful proteins and drugs.’

Obviously this wasn’t what was being referred to. So I got googling. It appears the sales and marketing community of various security/filtering/etc. companies, have been getting all het up about various phishing-related dangers.

The earliest article I could find was this — GCN: Is a new ID theft scam in the wings? (2005-01-14):

”Pharming is a next-generation phishing attack,’ said Scott Chasin, CTO of MX Logic. ‘Pharming is a malicious Web redirect,’ in which a person trying to reach a legitimate commercial site is sent to the phony site without his knowledge. ‘We don’t have any hard evidence that pharming is happening yet,’ Chasin said. ‘What we do know is that all the ingredients to make it happen are in place.’

Oooh scary! The article is short on technical detail (but long on scary), but I think he’s talking about DNS cache poisoning, whereby an attacker implants incorrect data in the victim’s DNS cache, to cause them to visit the wrong IP address when they resolve a name. This Wired article (2005-03-14) seems to confirm this.

But wait! Another meaning is offered by Green Armor Solutions, who use the term to talk about the Panix and Hushmail domain hijacks, where an attacker social-engineered domain transfers from their registrars. There’s no date on the page, but it appears to be post-March 2005.

Finally, yet another meaning is offered in this article at CSO Online: How Can We Stop Phishing and Pharming Scams? (May 2005): ‘The Computing Technology Industry Association has reported that pharming occurrences are up for the third straight year.’ What?! Call Scott Chasin!

Steady on — it appears that the ‘pharming’ CSO Online is talking about, has devolved to the stage where it’s simply a pop-up window that attempts to emulate a legit site’s input — no DNS trickery involved. (This trick has, indeed, been used in phish for years.)

So right there we have three different meanings for ‘pharming’, or four if you count the biotech one.

It may be impossible to get the marketeers to stop referring to ‘pharming’. But please, if you’re a techie, don’t use that term, it’s lack of clarity renders it useless. Anyway, the biotech people were there first, by several years…

Tags: article, attack, attacker, cache, dns, domain, line, pharming, site, term, words

# Comments

Tip: expand a bash commandline as you type it

May 4, 2005 at 12:49 am

UNIX: another useful tip. Bash supports a wide variety of command line editing tricks; you have the usual GUIish editing (backspace, insert new characters, delete, blah blah) through the GNU Readline library, and in addition to that you have the traditional csh-style history expansion (like ‘!!’ to refer to the previous command typed).

The latter are great, but they won’t actually be expanded until you hit Enter and run the command line. That can be inconvenient, resulting in the user being forced to reach for the rodent for some cut’n'paste instead.

Here’s a handy trick — add this line to ~/.inputrc (creating the file if necessary):

Control-x: shell-expand-line

Start a new bash shell. Now, if you type CTRL-X during command line entry, any shell metacharacters will be expanded on the current command line. For example:

% echo Hello world
Hello world

% echo Hi !$       (press CTRL-X)
           (current command line expands to:)
% echo Hi world

There’s a few more commands supported, but none of them are really quite as useful as shell-expand-line.

Update: ‘Smylers’ wrote to point me at this UKUUG talk from 2003 which discusses .inputrc expansions, and provides some insanely useful tips.

In particular, Magic Space clearly knocks this tip into a cocked hat, by performing the expansion on the fly as you type the command, with no additional keypresses — amazing! Bonus: it works if you use Emacs-mode line editing as well as Vi-mode.

I strongly recommend reading that paper — lots of other good tips there.

Tags: bash, blah, command, editing, expansion, inputrc, line, shell, type, unix, world

# Comments (1)

Reorganisation, and ancient history

March 23, 2005 at 8:44 pm

Life: Alec Muffett quotes an Economist opening line:

We tend to meet any new situation in life by reorganising, Petronius Arbiter, a 1st-century Roman satirist, is supposed to have remarked. And what a wonderful method it can be for creating the illusion of progress while producing confusion, inefficiency and demoralisation.

As apt today as it was then.

(I was recently talking to a mate who’s a post-grad in the classics. She noted that classicists aren’t the fastest-moving academicians around, speculating that maybe it was because, in studying the classics, you realise the same problems and the same solutions have been around for over two thousand years regardless of change in other aspects of life.)

Tags: confusion, economist, illusion, inefficiency, life, line, method, progress, satirist, situation

# Comments

Taxation Ventage

March 14, 2005 at 8:32 pm

Taxes: it’s that time of year again, when every inhabitant of the US, resident and ‘non-resident’, gets The Fear. Yep, it’s tax time. (Warning: this is a long and protracted vent.)

In the US, every worker is required to prepare and file their own taxes, in detail. Nowhere outside of India can do bureaucracy quite like the US, as far as I can tell — even the brits have embraced simplicity to a greater degree — so this is no trivial undertaking; however, they do have a few outs, if you’re eligible.

Naturally, given my luck, I’m not. ;)

Now, I’m no slouch when it comes to form-filling; I’ve had to deal with messy forms many times before. But these are masterpieces. Check out this gem:

The ATNOLD is the sum of the alternative tax net operating loss (ATNOL) carryovers and carrybacks to the tax year, subject to the limitation explained below. Figure your ATNOLD as follows.
Your ATNOL for a loss year is the excess of the deductions allowed for figuring AMTI (excluding the ATNOLD) over the income included in AMTI. Figure this excess with the modifications in section 172(d), taking into account the adjustments in sections 56 and 58 and preferences in section 57 (that is, the section 172(d) modifications must be separately figured for the ATNOL). For example, the limitation of nonbusiness deductions to the amount of nonbusiness income must be separately figured for the ATNOL, using only nonbusiness income and deductions that are included in AMTI.
Your ATNOLD may be limited. To figure the ATNOLD limitation, you must first figure your AMTI without regard to the ATNOLD. To do this, first figure a tentative amount for line 9 by treating line 27 as if it were zero. Next, figure a tentative total of lines 1 through 26 using the tentative line 9 amount and treating line 27 as if it were zero. Your ATNOLD limitation is 90% of this tentative total.
Enter on line 27 the smaller of the ATNOLD or the ATNOLD limitation.
Any ATNOL not used may be carried back 2 years or forward up to 20 years (15 years for loss years beginning before 1998). In some cases, the carryback period is longer than 2 years; see section 172(b) for details. The treatment of ATNOLs does not affect your regular tax NOL.

That pretty much appears as-is; there’s no additional explanation of those acronyms elsewhere, it’s just a big block of jargon. Obviously not intended for human consumption. There’s also this:

Medical and Dental. Enter the smaller of Schedule A (Form 1040), line 4, or 2.5 % of Form 1040, line 37.

That seems well and good, and according to the instructions, the 1040NR is 100% compatible with the 1040. Except Schedule (Form 1040NR), line 4 is:

Gifts to U.S. Charities. Gifts by cash or check.

What do charity donations have to do with medical and dental expenses? WTF? (I suspect the compatibility claim is incorrect.)

Last year, I hit up H&R Block for their help; it saved a lot of hassle, but was pretty expensive, costing over $200. Overblown TV advertising alert: of course there was no great refund, despite what their ads claim. However they did recommend that I donate old clothes to thrift stores, keep the receipts, and claim that back as a tax contribution. I’m serious. Given my wardrobe, that should net about $10.

This year should be a lot simpler, since I’m just a US nonresident working visa holder doing nothing but paying plain old income tax — so I was intending to just fill out the forms myself.

I think I’ll tick that idea off my list and check out the online options.

All I can say is, no wonder quite a few US citizens seem to think that government involvement is something to be minimized if at all possible. There are alternatives though — I’d happily take an Ireland-style ‘nanny state’ which will compute my tax liabilities for me if I so choose. It’s not like I’d be in a position to argue with them anyway, aside from the common case of hiring a tax attorney, if we disagree; so why not let the government do the heavy lifting? ;)

(PS: the good news is it now appears I may qualify as a resident. This means Turbotax.com is a viable option… yay!)

Tags: amti, atnol, atnold, figure, income, limitation, line, section, tax, taxes, year

# Comments

Life Hacks: getting back to the command-line

August 24, 2004 at 9:33 pm

Tech: So Danny O’Brien’s ‘Life Hacks’ talk is one of the most worthwhile reflections on productivity (and productivity technology) I’ve heard. (Cory Doctorow’s transcript from NotCon 2004, video from ETCon.)

There’s a couple of things I wanted to write about it, so I’ll do them in separate blog entries.

(First off, I’d love to see Ward Cunningham’s ‘cluster files by time’ hack, it sounds very useful. But that’s not what I wanted to write about ;)

People don’t extract stuff from big complex apps using OLE and so on; it’s brittle, and undocumented. Instead they write little command-line scriptlets. Sometimes they do little bits of ‘open this URL in a new window’ OLE-type stuff to use in a pipeline, but that’s about it. And fundamentally, they pipe.

This ties into the post that reminded me to write about it — Diego Doval’s atomflow, which is essentially a small set of command-line apps for Atom storage. Diego notes:

Now, here’s what’s interesting. I have of course been using pipes for years. And yet the power and simplicity of this approach had simply not occurred to me at all. I have been so focused on end-user products for so long that my thoughts naturally move to complex uber-systems that do everything in an integrated way. But that is overkill in this case.

Exactly! He’s not the only one to get that recently — MS and Google are two very high-profile organisations that have picked up the insight; it’s the Egypt way.

There’s fundamentally a breakage point where shrink-wrapped GUI apps cannot do everything you want done, and you have to start developing code yourself — and the best APIs for that, after 30 years, has been the command-line and pipe metaphor.

(Also, complex uber-apps are what people think is needed — however, that’s just a UI scheme that’s prevailing at the moment. Bear in mind that anyone using the web today uses a command line every day. A command line will not necessarily confuse users.)

Tying back into the Life Hacks stuff — one thing that hasn’t yet been done properly as a command-line-and-pipe tool, though, is web-scraping. Right now, if you scrape, you’ve got to do either (a) lots of munging in a single big fat script of your own devising, if you’re lucky using something like WWW::Mechanize (which is excellent!); (b) use a scraping app like sitescooper; or (c) get hacky with a shell script that runs wget and greps bits of output out in a really brittle way.

I’ve been considering a ‘next-generation sitescooper’ a little bit occasionally over the past year, and I think the best way to do it is to split its functionality up into individual scripts/perl modules:

one to download files, maintaining a cache, taking likely freshness into account, and dealing with crappy HTTP/HTTPS wierdness like cookies, logins and redirects;
one to diff HTML;
one to lobotomise (ie. simplify) HTML;
one to scrape out the ‘good bits’ using sitescooper-style regions

Tie those into HTML Tidy and XMLStarlet, and you have an excellent command-line scraping framework.

Still haven’t got any time to do all that though. :(

Tags: brien, command, everything, hacks, life, line, pipe, productivity, stuff, tech, way

# Comments

A UNIX shell tip

June 25, 2004 at 2:23 am

UNIX: I’ve just made the first change to my core bash configuration in years, to add -b to the set command-line. It triggered some thinking about when the last one was.

It turns out, that apart from writing scripts and aliases frequently, I haven’t changed my commandline UI in any respect, since about 2 years ago. By contrast, I’ve been hacking about with GUI settings continually, new desktop backgrounds, themes, colours, etc. Odd!

Anyway, here’s the tip — it’s very handy, I find.

I changed to using a 2-line prompt, with the first line containing the time and the full working directory, in a ‘magic’ cut-and-pasteable format:

        : exit=0 Thu Jun 24 17:55:29 PDT 2004; cd /home/jm/DL
        : jm 1203...;

Note that the prompt starts with “:”, which means that bash/sh will ignore the line until it hits “;”. The end result is that the entire line evaluates to “cd /home/jm/DL” when pasted. Hey presto, cd’ing several terminals to the same dir just involves triple-clicking in one, and middle-button-pasting into the others. nifty! Similarly, the second line has a little bit of prompt, but that snippet will be ignored when cut and pasted.

Having the exit status of the last command (bash var: $?) is useful too. The code:

  do_prompt () {
    echo ": exit=$? `date`; cd $PWD"
  }
  PROMPT_COMMAND='do_prompt $?'   # executed before every prompt
  do_prompt 0                     # set up first prompt
  PS1=": `whoami` \!"
  PS2="... >>; "            # continuation prompt
  PS1="$PS1...; "

Tags: bash, change, command, commandline, configuration, core, exit, home, line, respect, unix

# Comments (2)

How Not To Use OOP

December 18, 2003 at 9:41 pm

Code: OOP over the top: a hilarious dissection of some of the most monstrous ‘how to rewrite OO-style’ I have ever seen — take a 15-line if/elseif/else clause and rewrite as a thoroughly over-engineered unmaintainable 7-class, 15-method disaster, using the Singleton and Factory patterns. The rewrite in the original article is intended seriously, as far as I can tell.

As the xmldatabases.org article says: ‘this is really a general problem with OO development. Fancy object oriented architectures have become the goal and this article maybe makes that point more clearly then anything I could ever say. It’s representative of the thinking from a few years ago (written in 2000), and shows us just how much damage we now have to undo. It basically says that the simple solution that just works is wrong and will be unmaintainable. Maybe that’s true, maybe it’s not, nowhere does the article consider the question of whether or not that code actually needs to be that generic. It simply says that the simple solution is bad and that the seven class monster they came up with is the right solution. Talk about doing a disservice to students trying to learn how to build solid computer systems.’

(Found via sourcefrog.net – Martin Pool’s weblog, great for Linux and code bits).

WebMake: linux.com: An introduction to building sites with WebMake. W00t! Let’s hope nobody asks any questions while I’m away for xmas ;)

Tags: article, class, code, dissection, line, linux, oo-style, oop, solution, webmake

# Comments

XmlStarlet, and lots of stuff

November 21, 2003 at 8:06 pm

XML: XmlStarlet: ‘a set of command line utilities (tools) which can be used to transform, query, validate, and edit XML documents and files using simple set of shell commands in similar way it is done for plain text files using UNIX grep, sed, awk, diff, patch, join, etc commands.’ Sheer genius!

SCOvEveryone: Humorix: ‘PROVO, UTAH — Nearly two hundred humor writers, fake news reporters, and tongue-in-cheek columnists descended on SCO’s headquarters yesterday to protest the company’s continued slide into unreality.’

‘Humor writers have very active imagination. But none of us — absolutely none of us — could ever have imagined the kind of ludicrous and inconceivable things that SCO has decided to pursue,’ explained a reporter for the New York Times, the world’s leading source of spurious news. ‘You simply can’t make this stuff up… a fact which represents a great hardship on humorists everywhere.’

(thanks Ben!)

Ireland: some beautiful pics of Dublin in Autumn from Diego Doval.

Books: Hari Kunzru rejects the John Llewellyn Rhys award, since it is sponsored by two notoriously anti-immigrant newspapers, the Daily Mail and the Mail on Sunday:

both ‘pursue an editorial policy of vilifying and demonising refugees and asylum-seekers … As the child of an immigrant, I am only too aware of the poisonous effect of the Mail’s editorial line. The atmosphere of prejudice it fosters translates into violence, and I have no wish to profit from it. … The Impressionist is a novel about the absurdity of a world in which race is the main determinant of a person’s identity. My hope is that one day the sponsors of the John Llewellyn Rhys prize will join with the judges in appreciating this.’

Well said! (via Oblomovka)

Health: University of Chicago healthcare ’stories of shame’. A shockingly widespread situation in the US, as far as I can tell. For non-USians wondering what all the fuss is about, have a read of this and it’ll become clear. At the same time, the US government spends more per capita on healthcare than Sweden does. Figure that one out…

Tags: editorial, humor, line, mail, news, none, sco, set, world, xml, xmlstarlet

# Comments

Using a Web of Trust to stop spam

October 20, 2003 at 2:09 am

Spam: Been thinking about a distributed ‘web of trust’ approach to fighting spam.

Kevin Burton conversing with Raph about a web-based trust metric.
Bram writes about using (non-distributed) trust metrics against spam. With code ;)
Trust Management on the WWW, by none other than Rohit Khare and Adam Rifkin!
Trust Networks on the Semantic Web, a paper.

Combine those with another key point — that we do not need PKI, crypto, or any other changes to identify senders in current SMTP — and it could be done today, I think.

Why we don’t need crypto to identify an SMTP sender

Every email message delivered via SMTP across the internet will contain these headers:

the From line
one or more Received headers

Traditionally, whitelisting uses just the From line, which is vulnerable to spoofing. SpamAssassin used this up to version 2.3x. Spammers started spoofing mails where ‘From’ was the same as ‘To’, and since most people had themselves in the whitelist, that worked. boo.

In 2.3x or 2.4x, we added code to extract the IP addresses from the Received headers, and use a combined token — ( from_address, ip_address ) — as the sender’s address.

(In fact, we use just the top 24 bits of each IP to deal with situations like DHCP or dialup pools, where a relay may get a different IP every now and again. That’s close enough, at least.)

This is much harder to forge without doing a full-scale TCP spoofing attack; which is why the SpamAssassin auto-whitelist generally works well.

So basically, to identify someone strongly enough to provide a spam fix in plain old vanilla current SMTP, gen up a string containing their ‘From’ address, along with all the /24 masks of the IP addresses found in the ‘Received’ headers.

Remove your relays’ IP addresses, and you have an unspoofable ID for that person’s SMTP traffic. Any spammer who wants to spoof that, will have to compromise their mail server (or a server in the same /24). That’s not cost-effective for spamming.

Note that whitelisting based on that is effectively what the SpamAssassin auto-whitelist does. But for that to be more useful than the AWL, it has to extend over the internet to those people your friends haven’t corresponded with yet; ie. it’s got to be distributed.

(If you would like to comment on this scheme, I’d prefer if you could post comments at this QuickTopic forum.)

Tags: address, code, crypto, line, received, sender, smtp, spam, trust, web

# Comments

Using a Web of Trust to stop spam

October 20, 2003 at 1:48 am

Been thinking about a distributed ‘web of trust’ approach to fighting spam.

Kevin Burton conversing with Raph about a web-based trust metric.
Bram writes about using (non-distributed) trust metrics against spam. With code ;)
Trust Management on the WWW, by none other than Rohit Khare and Adam Rifkin!
Trust Networks on the Semantic Web, a paper.

Combine those with another key point — that we do not need PKI, crypto, or any other changes to identify senders in current SMTP — and it could be done today, I think.

Why we don’t need crypto to identify an SMTP sender

Every email message delivered via SMTP across the internet will contain these headers:

the From line
one or more Received headers