Monday, December 8, 2008

How the Indian IT Industry is tiding the current global crisis ? - A Nasscom Report

PuneTech blog reports about a recent talk by Ganesh Natarajan of Nasscom on how the Indian IT industry is tiding the current IT crisis. The presentation can be found here. The report is full of graphs and figures and is a very interesting and motivating read.

My summary of the report
  • Inspite of global uncertainities, the revenue aggregate (from IT-BPO sector) as a percentage of GDP continues to rise (albeit a little less compared to the rises in previous years).
  • This growth (in the face of current global crisis) is partly due to entry into new market verticals like Airlines, Media and healthcare apart from Banking, Financial, Insurance and Telecom. This reduces dependency.
  • The industry is progressing towards providing more end-to-end services. The report cites the BPO industry as an example, where in addition to customer support, services like finance, accounting, HR, procurement and knowledge services are also being offered.
  • India is exporting its services to more and more regions (though US still holds 61% of the share). The fast growing areas are Europe and Middle East. This makes us less prone to mistakes made by "Superpowers" :).
  • The report indicates that by 2020 India will lead the world in working age population. The estimated work force in India will be 47mn compared to -17mn in the US. This extreme imbalance in work force will work towards India's sustained growth.
To ensure that India does not lose its advantage a number of initiatives are being undertaken:
  • IT Export services are being spread across more cities to manage pressure on Bangalore, Pune, Hyderabad, Chennai, Delhi.Nasscom identifies around 43 Tier 2/3 cities.
  • There is a comprehensive program in place for making Indias large talent force "employable". These include short-time objectives like making large investments in training, medium-term objectives like faculty development programs to train and sustain faculty (this is very very important given the current crisis of good teachers in our country) and long-term objectives like setting up new IITs, investing in technology innovation etc.

Tuesday, November 18, 2008

Embracing New Technology : The Twitter Case

I am a technogeek and try to integrate new technology in my everyday life as much as possible. This post is about how i am using twitter.

As most of you may know, twitter is this short messaging service which people use to convey updates in real time. It has become the micro-blogging platform of choice and has many cool advantages, one amongst them being able to convey live updates using a computer, regular mobile or smart phones. These updates can then be fetched via RSS feeds.

I use twitter to tell people (whoever is interested) what i am currently upto. These are normally sent to my twitter account as an SMS from my mobile. The current status then appears on my webpage.

So the next time, you call me and i do not pick up the phone, please check the twit on my webpage!

Sunday, November 16, 2008

IPv4 Countdown vs. State of IPv6

The Internet Assigned Numbers Authority (IANA) is the body that manages the unicast IPv4 address pool (ie from 0.0.0.0 to 223.255.255.255.255). IANA assigns blocks of this space to the 5 RIR's (Regional Internet Registries) i.e. AFRINIC, APNIC, ARIN, RIPENCC and LACNIC. The RIR's use their distribution policies to further allocate addresses to local registries and ISP's which propogate them to the endhosts.

Potaroo.net predicts the following dates for the exhaustion of IPv4 address space.
Projected IANA Unallocated Address Pool Exhaustion: 04-Feb-2011
Projected RIR Unallocated Address Pool Exhaustion: 05-Mar-2012
A live down-counter counting number of days until we hit exhaustion of the IPv4 address space can be found here . This counter is generated using data from potaroo.net report The report is pretty detailed and explains the modelling used for predicting the dates. Please note that the modelling is based on current address distribution policies used by RIRs and current consumption trends. The following graph (from potaroo.net report) shows the current status of IPV4.


An explanation of the graph follows:

Note that there are 256 /8's where each /8 is 16,777,216 addresses.

IETF_Reserved : Blocks reserved for special purpose. It consists of 16 /8 Multicast blocks + 16 /8 reserved blocks + 1 /8 (0.0.0.0/8) block for local identification + 1 /8 (127.0.0.0/8) for loopback + 1 /8 (10.0.0.0/8) for personal use + 1 /8 (14.0.0.0/8) for public-data networks.

IANA_Pool : Pools of /8 left with IANA for allocation to RIRs.

Allocated : Allocated by IANA to RIR. This does not reflect current consumption because RIRs may have a pool of their own.

So much for IPv4. Now lets look at IPv6.

In 2008, there have been atleast 2 big studies around the state of IPv6.

The reports are detailed but these are a few interesting points.

1) Arbor networks experiment measured the total amount of IPv6 flowing in the backbone , and they note that

At its peak, IPv6 represented less than one hundredth of 1% of Internet traffic.

2) The biggest reason cited in the summary for the above observation is money.

Specifically, the department of commerce estimates it will cost $25 billion for ISPs to upgrade to native IPv6.
3) Googles effort measures the state of IPv6 from a end node perspective as opposed to the Arbor measurement. Their key observations are :

  • 0.238% of users have useful IPv6 connectivity (and prefer IPv6).
  • 0.09% of users have broken IPv6 connectivity.
  • Probably a million distinct IPv6 hosts exist.
  • Russia leads the chart in IPv6 penetration.
  • IPv6 prevalance is low but increasing steadily by the week.
  • IPv6 - IPv4 tunelling is the most common transition mechanism.
  • MacOS has better IPv6 penetration than Vista because of its default policies in the OSes.

So given the predictions about end of IPv4 and the rate of adoption of IPv6, are we ready for migration? In Feb 2008, ICANN added IPv6 addresses for 6 of the 13 root DNS servers (news here) which is a step in the right direction but is it enough to prod people to migrate?

I have the following concerns about the migration:

  • What would dictate the migration: economics or a better-future-internet?
  • Will ISPs be willing to pay the price?
  • Even if they are willing to do so, can the consumers and business transition to IPv6 seamlessly?
  • Will security products continue working the same way?
  • Are the vendors testing their implementations with IPv6 to make a simple software update to the tons of software already out there?
  • How will this migration be different in impact than the Y2k bug of the last century? Are these comparable in any sense?

I have a feeling that economics will dominate this race more than anything else. If the migration is going to cost a lot of money for businesses without any added value then there is bound to be a huge pushback. Somehow the cost has to be justified to them to make this transition happen and just saying address space exhaustion may not strike a chord with every business.

Sunday, November 2, 2008

The Rise and Fall of Gas!

People who have been following the economy know the state of gas (petrol) prices. But, I can provide a visual reinforcement of that fact, clearly showing the bumpy ride that gas prices have followed over the year. The following graph is plotted using data collected by me over the last one year on gas prices in the Southern California region (in Los Angeles County and Orange County). The way i collect the data is by diligently recording the date, the mileage since the last fuel fill, price of gas, gallons filled and location every time i visit a gas station to refill my car . This data helps me keep a check on my car's fuel efficiency and also serves as an early warning diagnostic system for problems. (As an aside, i once noted a consistent drop in my mileage over a period of 2-3 weeks. It turned out to be due to carbon buildup in my EFI system. Quick action probably helped me save some engine life :) ).


The plot clearly shows that gas prices started around $3.0 per gallon beginning of year, climbed all the way upto $4.7 / gallon in mid of 2008 and are falling to less than $3.0 / gallon at the end of year.

Can one predict which direction the curve is headed now ? I cannot.

Thursday, October 30, 2008

The Anonymity Paradox

Scott McNealy, the former founder CEO of Sun Microsystems, once famously remarked on Privacy : 'Get over it'. This was a very bold statement to make especially for the CEO of a reputed company but he nevertheless spoke out of his experience. Its almost ten years since that statement was made and anyone who even barely uses the internet today wouldnt disagree much with Scott, though all of us would still want to believe in a perfect world.

As an aside, Privacy and anonymity are closely linked though there are subtle differences. Anonymity is keeping ones identity secret while privacy can imply keeping identity plus other information secret. For the purposes of this post i will consider privacy and anonymity the same and use them interchangebly. Link
In my opinion, privacy and connectivity are complimentary ideas i.e. both cannot coexist. The moment you are connected to the internet, your privacy ceases to exist. I believe that this is an unfortunate but true fact and one that people often find hard to digest. But believe it or not, total privacy does not exist in a connected world. At some level, privacy is just like security i.e. there is nothing like total privacy just as there is nothing like total security.

I can offer many reasons for this :
  • Every time we do an online transaction and give out our Name, Address and Credit Card details, we are essentially "hoping" and trusting that the website will not leak out our data. Some informed users may go one step further and check if the website displays a secure logo like HackerSafe or McAfee Secure etc. Unfortunately, as detailed in this blog, it turns out that these certifications are mostly useless and can be easily sidestepped.
But name, address and credit cards are not the only definitions of identity and hence privacy. There are still many ways of inferring identity. A few of them are :
  • Almost all websites that you browse will always log your IP address which can always reveal you or your ISP or your Organization. That is, you can almost always be tracked back.
  • With the explosion of social networks and Wikis, we are getting into the habit of revealing too much information about ourselves, our families, pets and everything that was once personal to us to a much wider audience. This voluntary discloure of information is in effect resulting in very complex attacks on privacy as witnessed in the Sarah Palin and Paris Hilton case.
  • The notion of Googling for information has caught on so much that we inadvertently reveal "stuff" about ourselves to google when we type in the search bar.
  • Every time we open our gmail account and browse our emails, we also get with it some relevant advertisements placed alongside our emails. What this means is that there is a program out there that is parsing our emails and trying to "understand" us.
  • Websites that measure website usage statistics such as Google Analytics also impact privacy in some way by storing information about your visits to websites(tracked by your IP) on its servers.
All this is fine, but where is the paradox in all this?

To state simply, my Anonymity Paradox is :
While it is difficult to maintain anonymity on the internet for the common user, the same internet offers a magical cloak of anonymity for hackers.
I was myself amazed when this realization struck me. Users find it difficult to keep their identies secret but hackers get away with their mischief without hardly ever being tracked down. The big reason for existence of the malicious hacking industry is because of this cloakability that the internet offers. Purists might argue that the law has been able to track down hackers but i do not think they will disagree over the fact that the ratio of captures to hacking incidents is very apalling at best. Hackers typically get caught when they themselves make a stupid mistake which compromises their anonymity (for instance see how Palins hacker was caught).

So at one end we have people cribbing about privacy on the internet while at the other end we have bad elements basking in the glory of the anonymous internet. To me, it looks like this is the way it is going to stay. Just like fire does not know intent and it just burns whatever it is asked to burn, the internet just does what its being asked to.

Does this all make sense ?


Saturday, September 20, 2008

A Linux solution for copying and burning DVDs

The following are my experiences with copying and burning DVDs on Linux. To summarize the experience in a phrase : "It was a walk in the park".

Operating System Ubuntu 8.04

Tools of the trade
  • k9copy (for copying DVDs)
  • brasero (for burning DVDs)
Installation
Installation in ubuntu for the above packages is as simple as
$ sudo apt-get install k9copy
$ sudo apt-get install brasero

Procedure
  • Insert DVD into tray and open k9copy.
  • Choose File -> Open. This will load the DVD and show the chapters and titles as shown below. Select all the titles that you wish to copy.
  • Select Action -> Copy. You will be prompted for a location where the final iso file will be saved. Make sure that you have disk space atleast 2 times the size of DVD.
  • Leave all the options in the below pane as is unless you know what those options mean.
  • Once the copy starts you will be able to view the progress in the right-side pane.
  • The copy process creates a folder called dvd and an iso image in the location specified earlier.
  • You can remove the folder dvd as it is not required during the burning process.
  • Now to burn the iso image, open brasero and select the option for burning iso images.
  • Insert and blank DVD and start the burn process.
  • Enjoy !
In my experience, i have copied 4 DVDs and burnt around 12 DVDs and the whole process took slightly more than half a day. There were absolutely no errors and the original DVD quality was maintained in all the copied DVDs.

Monday, September 15, 2008

Announcing another blog !

Hello dear readers (if any).  I have started another blog (with a better purpose this time). The blog is about Indians and our innovations i.e. Jugaadu Indians and our Jugaads. The inspiration for the blog came to me while reading an article in August 24 issue of The Week. The article is about Indian Ingenuity and our innovations (or colloquially called Jugaads).  The following quote by  Dr. R. Mashelkar puts everything in perspective 
"we should think of innovation as a movement. The I in India has stood for imitation and inhibition for far too long. It is high time it stood for innovation. And the best thing about this movement is that we have the jugaad energy of a billion of us to power it forward. "

Thursday, September 11, 2008

The NEWS Equation

Our life today is controlled by media. Be it newspaper, television, radio or the internet, we depend on news for a lot of our day-to-day decisions and sometimes even blindly. This fact is well understood by Media companies, Governments and Businesses alike. Unfortunately, it is also being used actively to mislead the common man.  News today is no more the simple raw information but it undergoes a complex process of editing and mixing before being delivered. Thinking over it for some time, i feel that the Media companies operate a  huge mixer which continuously churns out news according to the following equation 

NEWS = x% Information + y% Hype + z% Personal Biases + w% Political Biases 

Different media companies use different values for x, y, z and w and yield different types of news. A case in point is the recent news about the bootup of Large Hadron Collider (LHC) in CERN. A channel called Aaj Tak in India ran a TV series which would have made a layman believe that the bootup of LHC would destroy the world.  In this case, their percentage of hype was very high and little factual information was presented. Even if they would have done a simple google search for LHC and the myths surrounding LHC, they would have realized that speculations about formation of massive black holes have been long dismissed by emminent Scientists. But the media today is more interested in their own TRP ratings and very little interested in presenting facts. 

Saturday, August 23, 2008

When will people learn ?

Airtel (one of India's leading cell phone providers) has recently tied up with Apple to offer the iPhone 3G in Indian market. Everything is good but is the following sort of sales pitch necessary to sell of iPhones?? Airtel is quoted here as saying :

"even the most deadly hackers on the planet won't be able to crack the
codes that support the iPhone's Airtel applications with rival company
SIMs."

My question is : WHY ???. Even if you really have provided tamper-proof security, throwing a n open challenge to the highly skilled and distributed hacker work force on the internet is nothing short of the proverbial "hitting the axe on your own leg". Such stunts may be good to test your products before entering the market but not once the products are already out there. Such stupidity has surely attracted the bees and its just a matter of time before the bees sting.

Thursday, August 21, 2008

Return gifts from an internet cafe

Today, i was at an internet cafe for getting a printout as my old printer died its natural death. As usual, the cafe was running Windows XP machines in administrator mode. I never like the look of a windows machine running in administrator mode in a public place and i was quite sure that it was already pwned. Nevertheless, i plugged in my USB drive which contained just the file i wanted to print. After a few seconds, my drive was detected and i could print the file i wanted. All was well and good.

Then i took the drive home and plugged it back into my laptop which fortunately runs Ubuntu. Lo and behold, my drive now had three return gifts from the internet cafe. Doing a quick antivirus scan on the files revealed the following

neoblitz@n30:/tmp$ clamscan /media/PKBACK#\ 001/*
/media/PKBACK# 001/1.jpg: OK
/media/PKBACK# 001/2.jpg: OK
/media/PKBACK# 001/autorun.inf: OK
/media/PKBACK# 001/New Folder .exe: Trojan.Autoit.gen FOUND
/media/PKBACK# 001/regsvr.exe: Trojan.Autoit.gen FOUND

----------- SCAN SUMMARY -----------
Known viruses: 396428
Engine version: 0.92.1
Scanned directories: 0
Scanned files: 6
Infected files: 2
Data scanned: 1.57 MB
Time: 6.231 sec (0 m 6 s)

As you can see, i had 2 trojan binaries and an autorun.inf which pointed to those binaries. For people who didnt realize, this is a worm which uses an unsuspecting user to physically propogate it from machine to machine.

It makes me wonder, how many unsuspecting folks would have got infected by this. Also, the public machine itself is probably a part of some botnet and has all types of exotic malware already installed, sniffing passwords and recording transactions of unsuspecting users. Phew !

So the moral of the story is two-fold,
  • Do NOT trust public machines. Avoid using them for doing electronic transactions using your credit card, using your username/password for your email accounts and so on and so forth.
  • If you run as administator, then very likely you are not the only administrator :)
I will publish results of analysis of the binaries in the next post soon.

Sunday, July 27, 2008

Sound bytes could now play the devils tune !

The next time you want to download your favorite song (illegally ofcourse :)) from a p2p network or some illegal site, think twice. The latest in malware infection has just been found. According to this report from Kaspersky Lab, there is now a worm to infects your .mp3 files.

From the report, the workings of this worm are as follows:

The worm, which was named Worm.Win32.GetCodec.a, converts mp3 files to the Windows Media Audio (WMA) format (without changing the .mp3 extension) and adds a marker with a link to an infected web page to the converted files. The marker is activated automatically during file playback. It opens an infected page in Internet Explorer where the user is asked to download and install a file which, according to the website, is a codec. If the user agrees to install the file, a Trojan known as Trojan-Proxy.Win32.Agent.arp is downloaded to the computer, giving cybercriminals control of the victim PC.

You can get directly infected by the worm or via an already infected mp3 file downloaded from some malicious site or P2P share. The simple precautions to take against this type of infection are the age-old and time tested ones:

  1. Never run as administrator on your computer. I repeatedly keep hearing that its insane to not be administrator on your own machine. Please note that, if you run as administrator of your own machine, then there is probably another administrator of your machine :). This simple precaution can help mitigate tons of security issues and make attacking your system that more difficult.

  2. Do not install stuff from websites that you do not know or trust i.e. do not randomly click install buttons unless you are absolutely sure.

  3. If you are really crazy about p2p downloading as if your life depends on it, then try using a VMWare to download stuff. This way, in the event of a compromise, atleast your critical data residing on your real system is protected.

Thursday, July 24, 2008

Testing your DNS servers for CERT VU#800113 (or Dan Kaminskys bug)

Here are 2 pointers to diagnostic tools for testing your DNS server against Dan Kaminsky's vulnerability (or CERT VU#800113). Please note that these tools use a very simple test and may not be enough to provide a foolproof assessment of the strength of your DNS server.

[Update] There is also a simple command-line from the same folks at DNS-OARC. Just fire the following command from a command line (ofcourse you need to have dig installed).
dig +short porttest.dns-oarc.net TXT
The first gives out a real cool output. Sample shown below. If you see GREAT as the output it means you are ok against the bug (as far as the tool is concerned).


"Kaminskys DNS bug" drama

If you are reading this article and interested in computer security then you may already know about the blockbuster DNS bug and the whole drama around it. To put the long story short, a major bug in the DNS protocol was discovered around 6 months ago by Dan Kaminsky. To describe the bug simply, the bug makes DNS cache-poisoning attacks a walk in the park (details here). Kaminsky, being a white-hat researcher, responsibly informed all DNS vendors about the bug and wanted to make sure that all the DNS server implementations were patched before he disclosed the bug to the world at Blackhat'08. But, Kaminsky chose to address a press conference a month before the disclosure and hinted about the existence of the bug without giving all the details. This caused a furore in the community about Kaminsky's claims but he managed to convince people (THomas Ptacek of Matasano Chargen in particular) off-line about the importance of the bug by confiding in them with the details and encouraged ISPs to patch the bug as fast as they could before Blackhat. Thomas Ptacek, relaizing his mistake, immediately changed his pitch and started encouraging people to patch as soon as they can.

All was supposedly well, until Halvar Flake made an almost right guess at the bug. This somehow caused panic at Matasano Chargen and they released the full details of the bug before hurriedly pulling back the post. Ofcourse, with feed readers around the world caching his blog, pulling back the post did not do any real good and in their own words "the cat was out of the bag" for sure now. Dan Kaminsky diplomatically handled the disclosures and is now encouraging people to patch the bug as fast as they can. Unfortunately, the disclosure of details has already resulted in sample exploits for Metasploit to come out within the end of the day. Thomas Ptacek, ofcourse has now posted an apology on his blog !

Now, one can blame Halvar Flake and Thomas Ptacek for disclosing the bug. One can also blame Thomas Ptacek for breaking Dan Kaminskys trust. But if you are a security researcher, you know very well that you may not be the first one to discover the bug. Blackhats aka evil hackers, dont care about disclosing the bugs they find. They just use them !! So i believe that these discloures may atleast force lazy ISP's to patch their systems sooner. If that will really happen is something that remains to be seen. My guess is that inspite of all this drama, there will be DNS servers which will still never get patched and will be sitting ducks ready to be exploited. It will be interesting to see if hackers are able capitalize on this bug and use it for real damage.

If you want to test your DNS servers resilience to this attack, you can use the small "Check my DNS" widget on Dan Kaminsky's site (www.doxpara.com). It may be interesting to note that DJBDNS is not affected by this bug because of its sound design. Read Bruce Scheniers article for his praise of its design and the importance of thinking about security while development and not as an add-on.

Tuesday, July 22, 2008

Design of the Batpod !

Batman: The Dark Knight was released to theatres across US on 18 July 2008 and it was a rocker. I watched the IMAX version of the movie on the second day after its release and it was well worth the money. I think it was the Joker (Heath Ledger) who made this movie the hit that it became. The film had everything to offer right from cool stunts, cool gizmos, great graphics and stunning cinematography. This was probably the best movie of the first half of 2008 for me.

Batman is known for his cool gizmos and machinery and this movie offered no less in that respect. The coolest gadget that batman had this time was his Batpod. At first glance, the Batpod looked completely undrivable. How the hell did Batman (or his stuntmen) drive this thing in the movie?


Firstly here a good photo borrowed from this site:



I also found these few interesting paragraphs on its design :

From this:

The vehicle has
no handlebars, but shields for the shoulders that allow for steering.
It was also difficult to keep balance on the huge 508 millimeter tires,
with engines in both hubs of each wheel. Not only that, the driver has
to lie belly down on either side of the tank, balanced on two foot pegs
spaced 3 ½ feet apart.

From this:
Despite its curious mechanics, this is a drivable vehicle. Flanking the
Batpod behind the front wheel are two elevated stirrup like devices
which the stunt driver, Jean-Pierre Goy, places his arms into and
steers the vehicle using his shoulders. The engines are located within
each wheel hub, seemingly reminiscent of the electric motor integrated
into every wheel of MIT Media Lab’s CityCar. According to the LA Times, this attitude laden design was conceived by Nathan Crowley and built by Chris Corbould.

Neat stuff !

Monday, July 7, 2008

On predicting futures

You read it right. Its 'futures' and not 'future'. As historians and futurists would likewise agree, there is only one history but many futures. To put the remaining post in perspective, the post was prompted by an article on wired called 5 Things Wired Pronounced Dead Prematurely. From the article,
Web browsers (March 1997) Push media was about to supersede browsers. Or not. If we could push this claim from the archives, we would. (Original Article)
Its not so important that they got this wrong but the larger point being that, as humans we are very bad at predicting future events. As Nassim Taleb (author of The Black Swan) puts it, the future is non-linear and thus any attempts to predict it with the available knowledge and available trends is futile. This point chimes in with the earlier point of there being one history and many futures. The main idea behind these arguments is that, there are some unpredictable events that can completely change the course of progress.

I believe the browsers could not be obsoleted by push media for the following reasons:
  1. Emergence of Firefox and its wonderful plugin framework
  2. Emergence of blogging
  3. Syndication of content via protocols like RSS
  4. Emergence of Web 2.0 (stuff like Ajax, Web Services etc)
  5. Google's efforts to turn the browser into a "operating system" by providing critical business software from within the browser.
What we see more often today is that push has merged itself into the browser instead of obsoleting it.

Sunday, July 6, 2008

A fun javascript flipbook

Getting bored with my work, i tried doing something completely useless this weekend :). I had some photos taken in burst mode during my trip to La Jolla in San Diego County, California. So i stitched them together using javascript to create a flip book effect. You can check out the demo and the accompanying javascript on my website here. Enjoy !

Unfortunately, i could not put up the demo here as blogspot does not accept stuff within the <script> tags.

Saturday, June 21, 2008

Ruby Command line for dhingana.com

I got bored of clicking links on dhingana and thought there should be an easy way to listen to songs. Being a command line freak, it was very natural for me to think of writing a command line tool. So i wrote a small ruby utility for downloading songs from dhingana.

The tool can be found here. Please read the disclaimer before using the tool and feel free to drop me a line.

PS: The website is work in progress and will be fully functional in 2-3 weeks.

Thursday, June 19, 2008

Surfing in a hostile world !

To get a hostile view of the world we surf in, here are a few statistics about all the current day malware forms coexisting with us.

A few highlights (as of today)
  1. There are around 3000 botnet command and control servers active at any time in the day.
  2. There are around 100K bot machines (using a 30-day age value of each bot).
  3. US has around 4500 bot C&C's (the largest in the world ). Interesting to see that China is way down the list with only 115.
  4. There were around 3.5 Million unique malware binaries seen in October 2007 with the number of unique binaries being atleast 1 Million every month ever since.
  5. The 0-day detection stats for Antivirus vendors is very interesting. Out of the 68000 samples of new malware that were tested against wellknown vendors in the last 24 hours, the really well known ones like Kaspersky, McAfee etc. were able to detect only 70% of them while AntiVir detected around 98% of them. Curiosly, Symantec is not on the list.

These statistics are from ShadowServer. Shadowserver's statistics are generally considered very reliable in the security community.It is not clear to me as to what percentage of the address range they monitor but the stats are nevertheless very revealing.

Sunday, June 8, 2008

Technological Singularity: Warning in disguise? - [Part 1]

I was recently reading about technological singularity that a lot of who's-who in the field of AI/Robotics (Ray Kurzweil, Hans Moravec, Vernor Vinge etc.) are talking about. The June'08 IEEE Spectrum runs a special feature on this called "Rapture of the Geeks". Reading through the articles (and also having read Ray Kurzweil's The Singularity is near) i have a few questions on some of the predictions that futurists are making. I am trying to get feedback on these issues from some well known folks in the field and will post them as and when they become available.
  • One popular view of technological singularity predicts that machine intelligence will surpass human intelligence in the next few decades and we will have machines building more intelligent machines presumably not under human control. This means that humans would have succeeded in building something which can replace us at the top of the intelligent species list. If this is indeed true, then wouldnt it make human existence meaningless and eventually result in our extinction? Or worse, we may end up being pets to a superior intelligent species :) . My point
    is, if humans are smart, why would they let this happen?
  • Ray Kurzweil predicts that singularity is just 3-4 decades away. He builds up his arguments based on the technological revolutions in Genetics, Nanotechnology and robotics. Innovations in these areas may help us build machines smarter than ourselves but they all would lack the consciousness that sets humans apart. Thus they can all be efficient than us but presumably not "street smarter" than us. Some scientists also predict that we will be eventually able to give our consciousness to these machines. But what would that help us achieve? Will it will help us better our own lives or extinct us?
  • Assume that the singularity does eventually happen, what makes us feel that we will be able to build a set of guiding principles under which our intelligent innovations will work? And why would those conscious intelligent beings follow our guidelines instead of inventing their own efficient guidelines? Isn't this similar to humans having children, children growing up and then deciding themselves on whats right and wrong? The only difference here being that these android offsprings would be far more capable (and lethal) than human children.
  • The final question is, if our technological progress is indeed pointing towards a singularity, then should we take it as a sign of progress or a warning for our future?

Saturday, May 24, 2008

Security is all about breaking assumptions !


Anyone with a slight understanding of security would appreciate the fact that security is all about breaking assumptions. Any system is always built with certain assumptions because otherwise the system requirements will tend to be infinite. Hackers always target the assumptions to break the system. It thus becomes very important for system and process designers to be very careful about the assumptions they make for their system. I believe that systems which stand the test of time are the ones that have their assumptions clearly laid out and which provide their users a clear understanding of the strengths and weaknesses of the system.

While one may say that the above is clearly very logical and there is nothing surprising about it, reality indicates that not many get this simple axiom right. But there seems to be a paradoxical situation here. I said that a system cannot be built without assumptions and also that security is all about breaking assumptions. So that would imply that there is nothing called 100% secure !!! And as it turns out, that is precisely the point.
Vendors who claim that their products provide 100% security or are 100% secure are essentially trying to fool the customers or maybe even themselves.

A case in point, there was a very recent incident in the US involving the company LifeLock (read this). LifeLock is a company which guarantees protection against identity theft. Infact, its CEO advertises his own Social Security Number on the website and claims that their service guarantees complete protection against identity thefts. They do this by setting fraud alerts at the three major Credit Bureaus namely, Experian, TransUnion and Equifax. They thought that by doing this , anyone who tries to use a SSN not belonging to himself will get caught. But they made a very very big assumption here that any of the outfits like CreditCard companies, banks etc. will always run a credit check before activitating services for an individual. Guess what ! they were proved wrong in a really stupid way. Someone stole the CEO's own identity from his website and took a $500 loan in the CEO's name. The reason the fraud alerts did not get tripped was because the loan company did not bother to run a credit check at all !!

The take home message from this post is thus two-fold
  1. If you are a customer, carefully evaulate the security assumptions yourself without getting sold to the vendors advertising.
  2. If you are vendor, make sure that all your assumptions are clearly stated and avoid hidden ones.

Saturday, May 3, 2008

30th Anniversary of SPAM

As per this BBC news article, 3rd May 2008 is the 30th Anniversary of email SPAM. The first spam message was sent to 400 users on the ARPANET by a DEC employee on 3rd May 1978. But, this was not yet the beginning of the commercial SPAM era. It was only in April 1994 when a group of immigration lawyers sent the first commercial spam message to more than 6000 USENET discussion groups thus,spawning a new rogue business model using the internet.

Wednesday, March 19, 2008

Famous three laws !

Clarke’s Three Laws (from the book "Profiles of the Future" by Arthur C. Clarke) [1]
  1. “When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.”
  2. “The only way of discovering the limits of the possible is to venture a little way past them into the impossible.”
  3. “Any sufficiently advanced technology is indistinguishable from magic.”

Asimov's Laws of Robotics [2]
  1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
  2. A robot must obey orders given to it by human beings, except where such orders would conflict with the First Law.
  3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
References
[1] NYT Article
[2] Wikipedia Article

Saturday, March 8, 2008

EyeOS ! Is it anything more than EyeCandy?

EyeOS Professional Services has released this Browser based OS called EyeOS. Check the Demo at : http://demo.eyeos.org/


From the site :

eyeOS was thought as a new definition of Operating System, where everything inside it can be accessed from everywhere in a Network. All need to do is to login into your eyeOS server with a normal Internet Browser, and access your personal or corporate desktop, with your applications, documents and files... just like you left it last time.

eyeOS comes with a preloaded suite of applications, some for private use, like the file manager, a word processor, a music player, calendar, notepad or contacts manager. There are also some groupware applications, such as a group manager, a file sharing application, a group board and many more.

I am finding it difficult to comprehend why anyone would want to use this. Wasnt RemoteDesktop over VPN good enough?

This kind of technology opens a can of security worms. First of all, this is browser based and anyone can login from anywhere. So if a users account is compromised because he was logging into his company eyeOS server from a cybercafe, the companies data is at threat. Secondly, why would anyone want to leave word and excel and use applications provided by them? Or for that matter, why would anyone using Google Docs want to use this technology? I find it difficult to find the true value proposition in this product.

The idea is nevertheless neat.

Saturday, February 23, 2008

Google Scanner from cDc

The Cult of the Dead Cow (cDc) has released Goolag: a google scanner for searching website vulnerabilities and other juicy information using Google. The scanner is based on google hacking techniques developed by Johnny Long. The tool comes with its own dork database and helps in scanning fast.

As defined by JohnnyLong in his hacking database: googledorks are Inept or foolish people as revealed by Google.

Technically, dorks are search patterns that reveal sites with potential vulnerabilities. Check the hacking database for the extensive list of dorks. These search patterns are not specific to google but just that its more effective with google because of its vast index.

An example dork from the hacking database is "intitle:admin intitle:login" which gives Admin Login pages. Now, the existance of this page does not necessarily mean a server is vulnerable, but it sure is handy to let Google do the discovering for you, no? Let's face it, if you're trying to hack into a web server, this is one of the more obvious places to poke.

Microsoft opens up its Treasure Chest

Microsoft has finally opened up their "treasure" chest. Microsoft has started a protocols program under which they are releasing loads and loads of Microsoft documentation.

From their website

"The Microsoft Protocol Programs foster innovation and interoperability by offering partners access to Windows Vista, Windows Server 2008, Microsoft SQL Server 2008, the 2007 Microsoft Office release, Microsoft Exchange Server 2007, and Microsoft Office SharePoint Server 2007 protocols for use on any platform. These programs enable and encourage a vibrant development community and support it with customer service. The result will be smarter, interoperable products that can be released in coordination with Microsoft product releases."

All the documents are available in PDF format.

The following document gives a roadmap for ploughing through the documents. [MS-DOCO]: Windows Protocols Documentation Roadmap

Thursday, February 14, 2008

Height of obsessiveness !

Check this link on autoblog

"The matchstick master built a full scale Mercedes-McLaren F1 car in his kitchen using 956,000 matchsticks and 1686 tubes of glue."

Don't forget to check out the photos gallery.

Thursday, January 31, 2008

Real Programmers (courtesy: Xkcd)

For those poor souls who dont follow xkcd, check this out....

MS08-001 Proof-Of-Concept Exploit


Check out this cool proof-of-concept exploit developed by immunitysec for the IGMPv3 vulnerability (MS08-001).

http://immunityinc.com/documentation/ms08_001.html


The tool being used is their flagship Canvas product.

Wednesday, January 16, 2008

Mona Lisa's identity solved

This is something for DaVinci fans. From this NYT article

"Experts at the Heidelberg University library say dated notes scribbled in the margins of a book by its owner in October 1503 confirm once and for all that Lisa del Giocondo was indeed the model for one of the most famous portraits in the world".

You can see the painting at the Louvre Museum in Paris or here.


Tuesday, January 15, 2008

TASERs

Check out this impressive piece of (controversial) technology, called TASER, that is used by US cops to stun criminals. The TASER gun basically fires two dart like things towards a victim, connected to the gun by thin wires. The gun then generates electronic pulses which contract the victims muscles and sends him into a shock. But, these pulses are controlled so as to not disturb the electrical activity happening within the body. For an indepth on how-tasers-work, read the following article http://www.spectrum.ieee.org/dec07/5731/2.

TASER usage has been controversial because of incidences such as the one in University of Florida, where cops hit a student with a TASER after the student asked a series of uncomfortable questions to Senator John Kerry and did not comply when asked to leave the auditorium. The incident can be watched on Youtube at http://www.youtube.com/watch?v=y3FFnpS-eYA.



Powered by ScribeFire.

A neat HOWTO for cheating !

Checkout this neat trick for cheating in a exam using just Coke.

http://www.youtube.com/watch?v=NpQZDJ2fGnI

Disclaimer: Use it at your own peril :)).



Powered by ScribeFire.

Saturday, January 5, 2008

A brief history of computing, networking and the internet


I stumbled upon this awesome documentary called Nerds 2.0.1 produced almost 10 years back. Its about how geeks working off their garages, living rooms and school dorms built some of the most brilliant technology serving mankind today. The video traces history of 4 of the most successful companies: 3COM, Novell, Cisco and Sun. A constant emphasis in the whole documentary, is on the role of the Venture Capitalists in silicon valley. The bright and dark sides of venture capitalism and venture capitalists is highlighted aptly. Its a must watch for all technology geeks, nerds and budding enterpreneurs.

http://video.google.com/videoplay?docid=-2534997893350167670

Tuesday, January 1, 2008

Interesting Army Slangs !

I recently came across these US army slang and could not resist posting them. I liked these ones the most. (Credits: Wikipedia)

  • FUBAR - Fucked Up beyond all repair
  • BOHICA - Bend Over, Here It Comes Again
  • JANFU - Joint Army/Navy Fuck-Up
  • SNAFU - Situation Normal: All Fucked Up
  • TARFU - Things Are Really Fucked Up
  • AWR - (Alpha Whiskey Romeo) Allah's Waiting Room. When engaged, insurgents have a tendency to flee to the same building (the AWR), at which point the troops radio in an air strike.
  • BTDT — Been There, Done That
  • DAN — Dick, ass, and nuts. Used when referring to a smell,
    particularly that of a soldier who hasn't showered in a while. When
    used in a sentence, "Joe smells like DAN."
  • DICK — Dedicated Infantry Combat Killer (used in Infantry Training)
  • FIDO — "Fuck It. Drive On" Equivalent of "Shit Happens" Pronounced like a dog's name: Fy-dough
  • FM — Fucking Magic. Used to explain something complicated,
    generally to someone new who has asked a question that would take too
    long to explain. "How does that work?" "Oh, it uses FM."
  • FOAD — Fuck Off And Die
  • FODA — Fuck Off and Die Asshole. Note: Foda is also
    Portuguese for fuck. When said by itself, it can have the same
    connotation as "Fuck off and die, asshole." This would make it a
    recursive slang in two languages.
  • FUBB — Fucked Up Beyond Belief
  • NDG — No Damn Good
  • NFG — No Fucking Good, a.k.a. busted, non functional, broken. also "New Fucking Guy"
  • NPGs — No Pussy Getters; see BCD
  • SOS — Same Old Shit; Shit On a Shingle. Creamed chipped beef on toast/biscuit, a breakfast staple.
  • SRDH — Shit Rolls Down Hill. Used to denote unwanted or unpleasing duties assigned to lower ranks.
  • US ARMY — Uncle Sam Ain't Released Me Yet
  • YMRASU — Yes, My Retarded Ass Signed Up (US Army backwards)





Powered by ScribeFire.