Friday, February 25, 2005

A Funny Thought...

I just had a really funny thought. I was watching the evening news this evening and just happened to hear Dan Rather or some other equally ancient dude talking about how younger people seem to not care about private savings accounts and all the hoopla surrounding Social Security. My inital thought was, "Well, they don't care because they are watching Cartoon Network instead of the evening news."

http://www.cartoonnetwork.com/

At least I thought it was pretty funny. In reality, the reason we don't care is because I can name three things that are on the evening news occupying over half the timeslot:

1) Someone died in Iraq by carbomb/whatever or announcing airport security stinks.
2) Someone discovers that bananas cause cancer or another FDA approved blah blah blah gets mad cow disease or some other such nonsense.
3) Someone is pushing budget balancing, social security reform, this reform, that reform.
(Other, more minor, negative news follows - very rarely any positive news).

Then, this is interweaved with annoying commercials for:

1) Cialis.
2) Viagra.
3) Cars.

I can tell you three things that won't make the evening news:

1) If some company releases a great software product, it won't even get 5 seconds of airtime (only exceptions: Microsoft and IBM can buy ad space pretty much any time they want).
2) If someone makes a positive impact for the Internet, no one on the newscast will bat an over-makeupped eyelash.
3) Any technological advances because the journalists won't bother to write down anything correctly. Journalists have embarrassed themselves so often with technology they don't even cover it any more (IMO, that is a very lame excuse).

No wonder I prefer Cartoon Network: At 6p.m. there is Static Shock and at 6:30 there is Teen Titans (both of which are typically downright hilarious). The commercials aren't trying to sell me what I get in my spam every day...and some of them (e.g. the Pop-Tarts commercials) are actually funny. If the evening news was actually random every day and normal people had a potential chance of being on it and not be the same boring, grimy news for 3 months at a time, younger people might actually watch it.

Oh, and if anyone important from CBS reads this, be sure to fire the old dudes. They are terrible newscasters. And they wear makeup. Seriously, what guy over 50 wants to wear makeup? Eww. I just had a terrible thought: Dan Rather/Tom Jennings in Spandex with makeup on. I think it is time to stop this blog entry.

Quick update on the conversion: It is coming along pretty smoothly. Sort of stuck on a really large piece of the conversion. I've made a huge dependency tree to figure out what I absolutely need and don't need to get to my target destination as fast as possible. Trimming the fat, so to speak.

Thursday, February 17, 2005

Uh oh...

Oh boy - two posts in one day. That's a rare treat for all of you, but I absolutely have to share this:

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

Don't bother reading the above unless you are in the security industry. There is only one thing you need to know: e-commerce = seriously busted. See, I am into the whole security industry thing and you don't need to be. However, when something this huge happens, you need to know about it - and perhaps the underlying technology of how it works. And this is huge.

Okay, we all remember...we probably don't remember but think we do...back when e-commerce was this huge buzzword and everyone was talking about how it was the hot next best thing? That was somewhere around 1998 and escalated into 2001. It is now 2005. In computer to human years, that is 80 total years for e-commerce.

E-commerce is based on a technology called Secure Socket Layer (SSL). SSL is called a layer because it transports data securely over the Internet using TCP/IP. TCP/IP is insecure. For instance, a Telnet session (a way to execute commands on a remote computer) used to be a great source of information for people/programs listening in on the network - you could get passwords and other sensitive data. Obviously, you would never want to do e-commerce over plain-old TCP/IP because very sensitive information such as credit card numbers are involved.

In came SSL. Or better known now as SSL/TLS (the latter being a real IETF standard while SSL was somewhat of a buggy hack that Netscape created). With SSL, information could be sent securly in the open across TCP/IP without people watching what was going on. This was great news to retailers who wanted to expand into the growing Internet.

Before e-commerce could come into play, however, people needed to be able to use their web browsers to send their credit card information over the Internet. In came HTTPS. HTTP is a standard way to communicate with a web browser to and from a web server. HTTP runs over TCP/IP (which means all plain-old HTTP traffic is insecure). All HTTPS does is inject SSL between the HTTP and TCP/IP layers. A pretty picture follows:

HTTP <-> SSL <-> TCP/IP = HTTPS

So, your web browser simply continues to talk HTTP when it talks across SSL.

Okay, this seems good and all, so what's the big deal? What if SSL is ever broken. I'm not talking about a random case here and there. I mean a real break. A fundamental break.

To understand how SSL can be broken fundamentally, you have to understand how SSL actually operates. Let's say you want to create a secure connection between you and an unknown host. It is like walking up to a complete stranger on the street and giving them your credit card. You aren't going to do that without figuring something out about the stranger first. The same thing happens with a SSL-enabled server. The first thing that happens across SSL is a handshake and key exchange.

1) The hankshake is kind of like real life. Basically to verify that the server really is a SSL server and to get some preliminary information. Namely, this information is a server certificate containing a public key.

2) Based on the server certificate's public key, a session key is created and the public part of that key is sent to the server encrypted using the server's public key. Since only the server has the private key the message can only be decrypted by the server. This is a topic suitable for a book, so I won't go into any more detail, but suffice it to say that at this point the browser has missed a fundamental flaw.

Where is the fundamental flaw? Somewhere between steps 1 and 2, the browser's SSL architecture does a security check on the certificate to verify that there is a path to a trusted root, the certificate hasn't expired, and this is the right domain. What if the certificate is ever spoofed? What if the trusted root is spoofed? Is that possible? Until today it wasn't. (If this doesn't make sense, please keep reading).

Back in August 2004, MD5 was considered broken shortly after the "rump session" at the recent security conference. At the same conference, SHA-1 was partially broken and SHA-0 completely broken. All three are cryptographic hashes. Both MD5 and SHA-1 are heavily used in e-commerce SSL server certificates (more use the latter). Therefore, both affect you as a consumer and/or server owner if they are ever publicly broken.

Let's just prove this to ourselves for a moment. Start up another browser session and go to PayPal's secure website (https://www.paypal.com/). You will notice that in the lower right corner of IE a little gold lock will appear. If you hover over it, you can see it is "128-bit secured". Now, double-click on it and a window you probably have never seen before in IE appears. Feel free to explore, but eventually come back to the next step (please don't install the certificate - they are a pain to remove). Go to the details tab. Scroll to the bottom of the list. Second from the bottom should be an entry called "Thumbprint algorithm". It will say "SHA1". This means that the certificate the server sent your browser is only as good as the strength of the cryptographic hash SHA-1. If SHA-1 is ever broken, the certificate is therefore broken. According to the rumors above, SHA-1 is broken. Therefore:

- PayPal is no longer secure.
- Your online bank is no longer secure.
- Any place you use a credit card online is no longer secure.
- VPN logins are no longer secure.
- The list goes on.

I expect that within a couple weeks/months people will start panicking when their card gets stolen from underneath them. I have a solution for that: Go shopping at your local store...those places exist for a reason.

Ran across this...

I had no idea people could get SQL Server - you know, that huge hosebeast of a database server - for free:

http://www.microsoft.com/sql/msde/default.asp

Granted it only supports 25 concurrent users, but seriously, how many people is 25 concurrent users? The way I figure it, if a single user is considered as connecting and disconnecting within 100ms after executing their query, that's a total of roughly 250 users per second or roughly 15,000 users per minute without collisions. Of course, that assumes perfect timing connecting and disconnecting at that rate, so I'll assume there is some delay and say roughly 7,000 users per minute to be safe.

Of course, if people are hanging onto their SQL connections longer than 100ms, then the number drops dramatically.

Basically, if you are using Access or Jet or whatever, you can use this as a drop-in replacement. Sort of an intermediate step to a full-blown SQL Server environment. At the very least, it will be faster executing queries and deal with any current concurrency issues.

Wednesday, February 16, 2005

Bit manipulation...

Completely unrelated to what I want to talk about (but got me thinking about CubicSpot):

http://99zeros.blogspot.com/

Mark Jen got fired from Google after leaving Microsoft and putting information about Google on his blog, which is above. It was easy enough to find - thanks to Google it was the "I Feel Lucky" link from my keyword search "Mark Jen".

CubicleSoft (http://www.cubiclesoft.com/) has been tasked with the task (there's an interesting paradox - tasking people with a task is a task that has to have been tasked) to move roughly 1.5 million lines of C code to C++. The process isn't incredibly involved because a majority of the code has already been written in a modular format and has been well debugged. It is just the stuff that isn't modularly written (or the stuff that needs to be _re-written_) that is the major time killer, what with all brand-new test cases and what-not. As such, I haven't been loyally blogging to my heart's content because everyone's brains have been in a fog (including mine).

Ever get one of those days where you sit in front of the computer monitor and stare so long that when you look away, you suddenly realize that your brain is in a fog and you can feel it but can't do anything about it? If I sit for hours on end doing nothing but code, I get that way. It doesn't help that the outside weather is nasty grey to coincide with the grey matter inside.

The main reason my brain is in a fog today is because I have been manipulating bits. Why do I get the bit manipulation tasks? They aren't exactly hard, per se, just highly annoying. Usually I stare at pixels and make pretty pictures (of the 16x16 icon sort) to get into the fog I'm in now, but today it is bits. Not bytes or words or dwords (or qwords?). Just bits. Zeroes and ones. Off and on. bdldadbdldadldbldlaldbldalptptptttt. There's a real word for you. Go look it up in the dictionary.

There are a multitude of ways I recover from this mess. One is to go outside into the nasty grey weather. Another is to watch cartoons until my brain rots. Another is to play some mind numbing video game. Another is to read a technical manual (just kidding).

I don't know why, but I just can't seem to bring myself around to exercise when I get like this. I just want to veg. Do absolutely nothing.

Most people tell others in their blog what song they are playing currently at the end of the blog entry. I'm not going to do that. Instead, I'll just share some equally useless factoids:
Current number of open programs listed in my taskbar: 18.
Taskbar position: Left-hand side of the screen (there's actually a story behind this one).

Thursday, February 03, 2005

More on the mini

Everyone's chatting about the latest development at Apple, so this is likely to get lost in the mix. I've been in contact with Bill Fox at www.macsonly.com. Great website, by the way for understanding what is happening in Mac land. Anyway, here is what I've been looking for in terms of hardware details that PC users are wanting to know. Bill's reply to my major issue with the Mac mini revealed some important information about the internal guts:

"The hard drives in the mini's are not Mac drives they are typical 2.5" ATA notebook drives found in PCs and Macs. Their RPM is 4200. You can get a 100GB 5400RPM notebook drive or a 60GB 7200RPM drive and those are the largest and fastest available.

If one needs a huge drive, one can use an external FireWire or USB 2.0 3.5" drive."


Apparently the Mac mini hard drive is not only small, but ALSO kind of sluggish. Most PC notebooks seem to have 5400RPM drives in them, but the mini is only 4200RPM. However, you only need serious performance on the drive end of things if lots of data is being moved around.

I think I've figured out the best combination for how to work with a Mac mini. I would get the default base $499 system and then pick up a external Western Digital 250GB USB hard drive (7200RPM) for an extra $141 (memorylabs.com has a good deal according to pricewatch.com) and a USB hub (the mini only has two USB ports). So, after S&H charges/tax/whatever, the total system cost is about $700 and blows away my primary server specs. (most PCs today do, but not by much - the hard drive to RAM and RAM to CPU transfer rate still blows away some newer quad systems), rivals my primary super-fancy 3GHz system in some regards, and compares nicely to the laptop. It would even fit on my existing server tower case quite comfortably.

$700 for a nice system suitable for pretty much anyone (minus those with serious data processing needs - we're talking about people who move well over 2GB/min). Not as nice as my 3GHz, but still nice. The idea of the Mac mini is beginning to rub off on me. I've never been a fan of Mac simply because of the price (and those awful one-button mice - thank goodness for my USB 2.0-compliant Microsoft Explorer mouse), but the mini really is a different beast.