the subject matters

Sure, a good subject can be used to index properly your emails. For example try to use some kind of convention, do not throw the subject as a previously known conversation. For many years I’ve been using my own convention on electronic mail subjects for my projects. Generally I use the form: "Client, Project, Real Subject" or "Project, Real Subject". So you can easily find your messages related to each project just by looking on the subject. The proper subject is a good introduction to the email that you will write or read.

the format matters

Plain text (text/plain), wrapped on column 76 or 64 — it depends on your taste — with well formed paragraphs and using the proper mime encoding for localization — on Usenet and some mailing lists is useful to use US-ASCII as encoding. Many companies are using HTML formatted mail with those gif images as company logos attached, and sometimes a huge disclaimer as email footer, and many replying on top of the previous message. Well, your fancy looks ugly here. I use Kontact, hence I use Kmail and a great feature of Kmail is the fact that it do not opens HTML formatted mails immediately, it regards my preference and ask me if I want to open it. Do you remember the I love you virus which was spreading through electronic mail?. Fancy colors and pictures leave your mail looking as SPAM, overfilled with propaganda, and those huge disclaimers for me are a disrespect to me, since it is like to send a real mail, and mail service opens the envelope and attach another document into it.

A possible solution is to standardize the proper E-Mail header for those bring that information without modifying the content of the original message:

• X-Company-Logo, should contain an URL to the company logo. I hope that it should reside under HTTPS protocol.
• X-Disclaimer, should contain an URL to the company disclaimer of the electronic mail.
• X-Sender-Identity, should contain an URL to the sender contact information, possibly a vCard or a plain text signature.

Sending that information — since most SMTP email is authenticated — can be easyly inserted on the electronic mail and it will become a part of the envelope, not the original message.

labeling for indexing

Many mail clients are using labels to create additional indexes on the electronic mail, but seems that is not standardized. Here an additional mail header should be useful — I hope that most companies will agree. X-Labels should be used to add labels to the electronic mail, it can be delimited with the ;; string. So, it will become standardized for most clients, including on sending mail, so the mail client can receive them and ask the user if he wants to add the label.

conclusions

Read some mailing lists or Usenet newsgroups to get introduced on how to write and read electronic mail. Read the RFC 1855 to get the real rules on formal electronic mail. Stop sending that fancy electronic mail, it has no sense, your company will not be more respected by sending those mails, for many people it has the opposed effect.

Copyright © 2010 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

© Daniel Molina Wegener for coder . cl, 2010. | Permalink | No comment
Post tags:

Phishing is a criminal activity. I’ve recently received an electronic mail with one of those phishing attempts. Surely I’ve ignored since I know how to read the electronic mail headers and some other useful information that comes in electronic mails. The Wikipedia refers to it as:

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

This time — I usually receive those electronic mails — I’ve received an important announcement from a Chilean bank, but really it was a phishing attempt. How do I know that? It appears to be quiet real, but what is behind all those pretty and trustful words?

The electronic have a plain text format. Yes! is not a binary format like Micro$oft Word or another kind of electronic format. This format has standard basis from the RFC 5322, and looks pretty similar on every message you sent and you receive. As the RFC 5322 standarizes the message format, the message format is as follows:

A message consists of header fields, optionally followed by a message body. Lines in a message MUST be a maximum of 998 characters excluding the CRLF, but it is RECOMMENDED that lines be limited to 78 characters excluding the CRLF. (See section 2.1.1 for explanation.) In a message body, though all of the characters listed in the text rule MAY be used, the use of US-ASCII control characters (values 1 through 8, 11, 12, and 14 through 31) is discouraged since their interpretation by receivers for display is not guaranteed.

Well, message headers are an important task while we are examining the message. You can view the original message by saving your email as plain text and looking at it with any text editor. Find a menu with View Source, View Message Source, View Raw Message, Save As (…plain text), and similar options to take a look on the message source. Well, this phishing mail has some interesting headers, such as the Received header, which indicates how the mail message was received by MX servers or mail servers:

Received: (qmail 12145 invoked by uid 1552); 14 Sep 2009 08:38:10 -0000
Received: from virtual1.webair.com (virtual1.webair.com [216.130.161.111])
    by mail07.ifxnetworks.com with SMTP id 9f9zhdib52zaavt9vaiekajna6;
    for dmw@unete.cl;
    Mon, 14 Sep 2009 08:38:10 +0000 (GMT)
    (envelope-from monitor@santander.cl)
Received-SPF: None; receiver=mail07.ifxnetworks.com;
    client-ip=216.130.161.111; envelope-from=<monitor@santander.cl>;
    helo=virtual1.webair.com
X-Avenger: version=0.7.9; receiver=mail07.ifxnetworks.com;
    client-ip=216.130.161.111; client-port=2914;
    syn-fingerprint=32768:58:1:60:M1380,N,W0,N,N,T FreeBSD 4.8-5.1 (or MacOS
    X); data-bytes=0

My electronic mail address which received the phishing mail, is hosted at IFX Networks, so the final receiver — from top to bottom — was the ****.ifxnetworks.com server. Electronic mail routes can be longer that this one, but you can read as final receiver from top to the initial receiver to bottom. WOW! What a surprise!, the initial client is 216.130.161.111, let see from where comes that IP address…

[www@quake ~]$ geoiplookup 216.130.161.111
GeoIP Country Edition: US, United States

[www@quake ~]$ nslookup 216.130.161.111
Server:         200.62.2.180
Address:        200.62.2.180#53

Non-authoritative answer:
111.161.130.216.in-addr.arpa    name = virtual1.webair.com.

WOW!, the client comes from USA, not a Chilean sender! and matches with Spam Filter receiver at IFX: helo=virtual1.webair.com. Why a Chilean bank wants to send an important advice from foreign servers? it smells like pure phishing. Now let me see what are indicating the NIC servers from that domain:

[www@quake ~]$ whois webair.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

WEBAIR.COM.BR.GAROTAEXECUTIVO.COM
WEBAIR.COM

Hhhmmm… looks like a Brazilian domain . Looking at the real entry: GAROTAEXECUTIVO.COM.

Registrant:
   Executivo
   Rua: Executivo 3333
   Sao Paulo, Sao Paulo  01313000
   BR

   Registrar: DOTSTER
   Domain Name: GAROTAEXECUTIVO.COM
      Created on: 24-OCT-07
      Expires on: 24-OCT-09
      Last Updated on: 04-OCT-08

   Administrative, Technical Contact:
      Club, Executivo  postmaster@postmaster.com
      Executivo
      Rua: Executivo 3333
      Sao Paulo, Sao Paulo  01313000
      BR
      551122334455

Yeah! it’s a Brazilian one! Now, looking for all those URLs to make me fall in the fraudulent activity of phishing, where I’ve found three interesting URLs:

• hxxp://www.santander.cl/estilos/2008_08/bitmaps/santander.gif
  WOW!, it points to an image at the Chilean bank — I’ve replaced the t for x intentionally — and surely this will make some believe some people that the electronic mail is quiet real.
• hxxps://www.officebanking.cl/images/porque.gif
  WOW!, it points to an URL of the same bank but using the HTTPS protocol, this will make a possible client to believe that is pointing to the real bank, since many email clients asks for the site certificate. Interesting.
• hxxp://www.fpfa.esp.br/imagens/campeoes/st2.php
  WOW!, the full URL to the phishing site! I’ve not opened the URL, and I don’t know what is behind it :B

The piece of code with the link to the phishing web site in the body of the message:

<span class="style10">
                                            <a target="_blank"
href="http://www.fpfa.esp.br/imagens/campeoes/st2.php">
                        <img
src="https://www.officebanking.cl/images/ingresar.gif"
align="middle" border="0" width="65"
height="21"></a></span>

conclusions

• You can not trust in banking electronic mail until you strongly verify the electronic mail.
• You can not enter any site with your financial institution logos without verifying the URL bar.
• Google permits to download the message source.
• Use a good electronic mail client, for example Thunderbird has good advices on spam and phishing.
• Certainly the www.fpfa.esp.br site was cracked, and was used for phishing activities, and I’ve blocked it in my browser.
• Those virtual1.webair.com servers are widely opened to be used by spammers, and I’ve added them to my blacklist.

Copyright © 2009 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

© Daniel Molina Wegener for coder . cl, 2009. | Permalink | One comment
Post tags:

Recently, Micro$oft has launched a new open source collaborative platform called CodePlex. From its announcement:

Microsoft’s strategy with open source has evolved over the past several years as we strive to make Windows the platform of choice for customers. My team has participated in that process first hand, we’ve worked hard with the PHP community to ensure PHP runs great on Windows, integrated PHP installation into the Microsoft Web Platform Installer, and engaged some of the most popular PHP applications like WordPress, Drupal, and SugarCRM to ensure customers have a great experience running these applications on Windows and IIS. We’ve also worked closely with the jQuery project to make it a natural part of building applications with ASP.NET.

If really their strategy is to allow their customers to continue using their platform, another hidden issue about the CodePlex Foundation are the terms under the code is shared — just take a look on the allowed licenses — and their contributor agreement, where Josh Berkus spotted the problem with it in his article titled "Codeplex: Stay Away". A point on the agreement mentions:

You grant Foundation a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license in the Submission to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute the Submission and such derivative works, and to sublicense those rights to third parties.

Which is interpreted by Josh Berkus as:

You grant Codeplex the right to give, for free, forever, under any license they please, your work to Microsoft and its partner corporations.

Damn!, I think that I must not put ever my source code on CodePlex!. I’m not a lawyer expert, but seems that Josh have the true in his interpretation. The full agreement is placed here. Also, in the announcement comment responses, they ensure that there is no relationship between CodePlex Foundation and CodePlex.com:

There is no other formal relationship between the CodePlex Foundation and CodePlex.com run by Microsoft. I anticipate the foundation will accept projects hosted on CodePlex.com or any other project hosting site. For more information on common questions like this one, see the FAQ posted on codeplex.org/faq-mission.aspx.

In the FAQ they are refering to their mission, and the FAQ have a question on it: "Why is Microsoft involved in the creation of an open source foundation?", they mention the fact that Micro$oft is supporting the Apache Foundation and similar recently made moves from Micro$oft. But what is behind?, a recent move was the release of FOSS drivers for the linux kernel with up to 20000 lines of code — me as a single developer have contributed with a similar amount of lines of code — but, have they really release the code to contribute to the community?. Seem that the answer is not. In a recent article titled "Microsoft opened Linux-driver code after ‘violating’ GPL", we can find Micro$oft releasing the just after some discussions, and the real intentions behind that are not yet clear.

We don’t know why Microsoft positioned the news as something it was not. Maybe it was because of the strategic and political importance of Hyper-V to the company, the unmissable kudos of embracing GPL and helping Linux on Windows, and how such an act could finally silence doubters.

Copyright © 2009 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

© Daniel Molina Wegener for coder . cl, 2009. | Permalink | No comment
Post tags:

A memory leak regards the concept of "non released and unused memory, an unintentional failure that makes your program hold memory when is not longer needed". This means that even you create a new instance of an object — in C++ — without releasing it’s memory; you request a memory block — in C — with malloc(3), mmap(2) or sbrk(2) families of functions and similar tasks; or simply you setup an object reference without releasing the reference, when you left the object usage in your code logic and the reference is kept without letting the interpreter or garbage collector destroy it — as in dynamic and virtual machine based languages.

A memory leak is the gradual loss of available computer memory when a program (an application or part of the operating system) repeatedly fails to return memory that it has obtained for temporary use. As a result, the available memory for that application or that part of the operating system becomes exhausted and the program can no longer function. For a program that is frequently opened or called or that runs continuously, even a very small memory leak can eventually cause the program or the system to terminate. A memory leak is the result of a program bug.
Source: WhatIs.com

From the basics, we will review single tasks on C, to more complex tasks on dynamic languages, such as JavaScript. My apologies to all those people that thinks that "memory does not matter" and saw you "don’t worry about memory if you are using a language with a garbage collector" and even saw you " don’t worry about memory if you are using a dynamic language", but certainly all those people are wrong. Releasing memory and kind resources is an important task. Just take a look on the Internet and search about System.OutOfMemoryException for C#, java.lang.OutOfMemoryException for Java, "PHP Fatal error: Allowed memory size of NNNNNNN bytes exhausted" for PHP, and some other well known issues. Isn’t strange that you will find some of those errors currently running on Web Servers. Usually it have a common, quick and dirty solution: "just increase the memory limit, stack size or the amount of memory available for your program".

the basics with c

On C, every reserved block must be released. The standard library way to allocate memory is the malloc(3) family of functions. Also, there are many programs and languages too which are using it’s own memory allocator  through system calls such as mmap(2) and sbrk(2). If you are using an Open Source operating system, such as Linux or FreeBSD, you can take a look on your system wide memory allocator implementation. Dynamic allocations, given by this kind of calls, allocate memory on the heap, which can grow until it reaches the memory limit given by the system that are running on.

A single way to track the memory used by your program can have the form of the next piece of code:

#ifdef CUSTOM_MEMORY_TRACK
#define malloc(s)       my_malloc(s);
#define free(p)         my_free(p);
#endif /* !CUSTOM_MEMORY_TRACK */

int total_allocation_calls = 0;

void *my_malloc(size_t sz) {
    total_allocation_calls++;
    return malloc(sz);
}

void *my_free(void *p) {
    total_allocation_calls--;
    free(p);
}

/* to use with as:
      atexit(my_display_allocations);
   in main() */
void my_display_allocations (void) {
    printf("Total Allocations: %d\n",
           total_allocation_calls);
}

Then, if you use this piece of code and setup an atexit(3) call in main, you can get a message like: "Total Allocations: 0", only if your program does not have memory leaks. And "Total Allocations: n", with n greater or equal to one, if your program have memory leaks. Be careful with that! There are many functions or systems calls that are allocating memory!, in example the strdup(3) family of functions, and those functions requires that the allocated memory must be released (deallocated) after they are used. For C programmers, it’s known that there are a lot of nice tools to detect memory errors, such as memory leaks and invalid memory access (write/read). Surely you know about valgrind! . Do you understand the valgrind output?.

First of all, change your mind, resolve compile time errors. Try compiling your programs with -Wall -Wextra -Wshadow -pedantic -std=c99  flags. They will show you how portable is your code. Let’s go with valgrind now, where the error format have the form: "Error Message\n…backtrace…"

Address 0×0000000 is n bytes inside a block of size m free’d

==28023==  Address 0x42d4010 is 8 bytes inside a block of size 100 free'd
==28023==    at 0x40270FC: realloc (vg_replace_malloc.c:429)

The given address have an incomplete memory release operation, where it holds n bytes of m free’d and occurs at memory address 0x40270FC, in the function realloc(3) on the file vg_replace_malloc.c at line 429. Since it is a system wide function and it is not a part of your program, usually the system do no have a bug, and you must look on the entire backtrace until you reach your code in the backtrace. When you don’t have errors, you may look a message like this:

==21624==
==21624== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==21624== malloc/free: in use at exit: 15646 bytes in 13 blocks.

I will try to explain more valgrind messages in other post.

dynamic languages

When reference counts marks the object as being used, and you don’t really are using it, you have a memory leak. The common way of execution for PHP scripts is that they are always holding more and more memory. Usually the common solution for PHP scripts is that you increase the runtime memory limit for the scripts on the server by changing the value of memory_limit configuration variable. Certainly you are wrong. You can avoid the extra memory usage by releasing resources, such as unused objects and variables. A good side of PHP is that it have an unset() function, that let’s you release allocated resources — some special resources needs to be deallocated using special functions, such as imagedestroy(). And really, PHP do not have a any kind of garbage collector, it just releases the allocated memory when the script have finished it’s execution. Some extensions would help, such as xdebug.

Python have a small implementation of garbage collector and really I have not seen mistakes in it like PHP about memory leaks. Only some extensions — written in C and C++ have some memory leaks. Here applies the same logic, you must reach a reference count of zero to let the objects being released. Python have a well documented Memory Management implementation.

Not much to say, just be careful with dynamic languages and it’s implementations, because many of them are extensible, many of their extensions would have memory leaks. PHP is a separate case… many people do not call it a language.

vm driven languages

Most of them have a garbage collector implementation. Do not tell me that Java is safe on this topic, or C# .NET is safe too. Just look at one of my previous posts, and then think a little. If Java, and other languages having a garbage collector implementation are really safe, why you can look live errors on the Internet as the OutOfMemoryException… The reason is simple: they have memory leaks, but not they really. Instead we have developers that have trusted the slogan that says "programming in vm driven languages is safe, don’t worry about memory". And then you have your JEE server or Application Server running the famous OutOfMemoryException, and you nearly to the quick and dirty solution like increasing the memory limits for your server.

Usually, more honest providers, let you know that the best way to mark an object as eligible to release it’s memory, is to set the object value to null. Then, the object reference count would reach zero, and the object will be released by the garbage collector. Java, Mono (use the source Luke!) and .NET have a well documented garbage collectors. Just learn how are made! And you will avoid common mistakes on this topic.

finally

Do not forget to release the unused resources…

Copyright © 2009 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

© Daniel Molina Wegener for coder . cl, 2009. | Permalink | No comment
Post tags:

A long time ago I was wondering how to learn CSS2. Not as a professional target to apply all this knowledge in a professional way as web designer. The main reason was to be more conscious about what a good web design means. Standards basis are important, but I’ve found some modifications that are applied to Internet Explorer and related browsers.

Errors on Internet Explorer aren’t a strange behavior. Also common modifications are well known to web designers. I’ve started this wordpress theme from scratch. I’ve found that it was have the target look and feel that I was seeking for. Everything was going right until I’ve taken a look in Internet Explorer versions 6 and 7. The result was horrible. Seeking for some modifications to apply in my wordpress theme, I’ve found everything I wanted, but horrible ones too and I’m not sure about the standard basis on them.

From the Internet Explorer Blog, they are exposing excuses about the Internet Explorer rendering mistakes:

If you open the newly redesigned whitehouse.gov in Internet Explorer 8 on Windows 7 Beta, you’ll notice that the dropdown menus don’t hide correctly when you hover over other menu items.

This is because the version of IE8 in Windows 7 Beta is somewhat older than the Internet Explorer 8 Release Candidate (IE8 RC1) that we’re about to release for Windows Vista and Windows XP. Internet Explorer 8 RC1 displays whitehouse.gov correctly — without this menu issue, as does most recent internal Win7 build.

Just two paragraphs and I can take the idea that ie-sucks.css. Yeah!, I’ve joined the campaing ie-sucks.css and the common IE modification of:

<!--[if IE]>
<link rel="stylesheet"
      href="/ie-sucks.css"
      type="text/css" media="screen" />
<![endif]-->

And created a special cascading stylesheet for this particular browser, since it doesn’t support the CSS 2 Standard and do not pass the Acid 2 Test. Now I’m more conscious about the effort that web designers must do to mantain a standard cascading stylesheet. From the start that was my target, understand CSS2 as technology and to talk a common language with web designers in what CSS2 refers. My special thanks to Ricardo Osorio for the recomended book, Diego Diaz and Jonathan Ramirez for the given css modification, and Claudio Zelada for his expert opinion. Also I must thank to Gonzalo Diaz for the IE Blog link.

Copyright © 2009 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

© Daniel Molina Wegener for coder . cl, 2009. | Permalink | No comment
Post tags:

Sometimes is painfull and others funny to look at Web Application Requeriments made across the time. While the time pass through a thin line of evolution on the flexibility on Web Based Applications, more complex are the requirements made to developers, sometimes imposible to handle and unconscious of what a Web Based Application means.

Many times we reach the point of unconscious requirements on WBAs on what is and what we can do with these applications, people that doesn’t thikn think these applications as client/server applications, where the client have only one interface to make the content dynamic, and not intended to access system specific facilities: the embeded scripting language — usually JavaScript — and some people still think that JavaScript will allow some controll over the computer, and outside of the Web Browser. Since I know that these things only happens with viruses — which affects only certain operating systems — I personally try to avoid the usage of certain operating systems and browsers.

The point on Portability

There are a lot of common examples, with the mainstream of special device handling, whereas the goal of the WBA is to handle and manage the given device. Then we get responses as "implement an ActiveX control" or "implement a Java Applet". Both answers remains under platform dependant solutions, and both require complex user interactions. First, an ActiveX control is a Micro$oft dependant solution, works only under Inernet Explorer and needs the user acceptance to certainly get access to the desired device, such as a special printer, smart card device or other kind of special device, then, the user must modify the browser policies — in this case Internet Explorer — to access the device allowing the installation of the needed ActiveX control. At the other hand, Java Applets needing access to hardware devices, must implement wrapper classes through JNI interfaces — these interfaces are written in C or C++, where both languages are completly native — and again we are on platform dependant solutions. Also, we need to modify the Java Security Policies to grant access to hardware devices, special files or other kind of system wide resources. Then I can think with strong arguments that these kind of Web Based Applications are not portable and can’t be considered as Desktop Applications, but largely used by the implementation costs.

Both solutions require the user intervention. You can’t overwrite the .java.policy created by the user and Java do not allow through the proper and protected API to modify the .java.policy file. At the other side, ActiveX controls reach the same situation, needs the user intervention to allow the Web Browser to instantiate and run these software components, you need to grant certain access to some site in your browser to allow them, but when it is a Virus or antoher another kind of Malware you get infected instead of getting your browser applying the security policies…

Also we can look at Web Designers how they are implementing portable CSS… always they need ugly hacks because most browsers don’t implement the right behavior by interpreting the CSS and many times getting CSS out of known standards.

The point Realibility

One particular case — to which a was in front off — was a managed printing through a WBA under Micro$oft Wintendo as client. I’ve made an ActiveX control that was using — not directly — the hardware driver to print a PDF file. The printing process was required as silent and without the user intervention, directly to printer. This means no prompts, no dialogs, no download window… really a trouble without an ActiveX control. Then we get a requirement of silent install for the ActiveX control, this means no user interaction installing and allowing the ActiveX control — again no prompts, no dialogs, no progress diaglos dialogs — to be installed and instantiated through the WBA in the client browser.

A Web Browser is a client, a single process and a single thread per page/site that it’s opened. Under this criteria, you can’t expect any process control or thread control under the Web Browser. Since JavaScript is a single-threaded scripting language, and you can’t create more threads than the current execution thread for the site that it’s visited by the browser, you can’t expect to control animations and wait loops while you are executing JavaScript — as result of sequential interpration interpretation of the scripts — where one of the given requirements was to animate the web page while the ActiveX control was working. The result was that the animation is freezed until the printing process was is finished. Meanwhile the JavaScript that is controlling the ActiveX component was running, the GIF animation in the web page was freezed… With a Real Desktop Application certainly we get more control over these requirements, but most of them aren’t implemented because these application means a cost that companies that don’t wan’t to pay — it’s easier to get a Good Web Developer rather than a Good Desktop/System Application developer.

By allowing ActiveX Controls or Java Applets, you are opening more posibilities to reach a malware infections.

The point on Standards

We constantly reach a common advertising behavior instead of rock solid behavior in matter of standards. All the effort that W3C makes to bring orientation on how to construct web pages can be broken by another commercial rather than real standards based proposal: "The Web [0-9]+\.[0-9]+". Where many of the proposed technologies in this pesudo-standard proposal uses most proprietary technologies, and allows web applications to implement many of the right and clear standard based behavior under proprietary technologies such as Silverlight or Flash — where the last one was now have an open specifications but without full open standard support — have an underlying lie and it’s proposed by some companies rather than known and respected institutions.

The most live example is how Web Designers deal with different behaviors on different browsers regarding the CSS features. Every browser has it’s own rendering engine, some of them with short modified engines, and every browser has it own custom styling behavior. Common behavior is limited to certain basic styling notation and elements. The main conflict on that, appear on floating divs and similar tasks, fulfilled of CSS tricks.

Another mistake is JavaScript handling. Since some highly used browsers such as Internet Explorer different ways to handle the same events and objetcs, and one clear example is how are handled AJAX requests by this browser — without the standard XMLHttpRequest object. Instead, you must use an ActiveX Control, and the same ActiveX control can have multiple versions on the same machine…

The point on Security

Many times we think that our applications are safe behind a browser, but what about malware kind of software?. You can get easily infected if you don’t have the right policies and you are doing something wrong as user, such as navigating as super user in your machine.

Some platforms, simply can’t get infected, otherwise by weak implementations, you can get infected by suppliying supplying a few clicks on some sites. If you don’t run as super user in your machine, you can get infected with malware by user specific installers, without the need to be a super user and having administrative priviledges. The malware in this case, can modify the per user — in this case the current user — specific security policies for his browser, allowing more malware to infect your computer.

What about these applications that access special devices or have access to special files, such as client certificates. Imagine a spyware specially made to handle certain company specific component. The weakness of obtaining certain keys or passwords through sniffing techniques, or keylogging and sending compressed packets UDP packets of what are you typing are some possibilities in many others.

Some browsers and platforms are a backdoor itself. Other case are signed mails, can you trust in a company — such as Google or Micro$oft — to send your personal certificate or GnuPG keys to sign your mail? Certainly is ridiculous to think in that idea, mainly if they don’t provide any kind of warranty on what your personal or private data regards, just take a good reading on the policies that provide these companies.

Realize what is a WBA

Be careful with the proposed standards, read about which protocols, formats and, in general, is conceived as Open Standards for Web Based Applications. There are a lot of materials to read, from public Open Standards to well formed books. Start with the basis, the HTTP/1.1 RFC, and finish with theorical books, mainly about usability. Building WBA professionally isn’t an easy job, and mostly require a good knowledge on the kind of software you are building. If you work on WBAs, there are a lot of must read documentation available on the Internet and — certainly — if you fall under proprietary WBA development — I mean WBA development under NOT-Open Standards — you will need to know a lot of the WBA environment…

Copyright © 2008 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

© Daniel Molina Wegener for coder . cl, 2008. | Permalink | 3 comments
Post tags:

By "where is the Internet?" I mean the Internet that have conceived Jon Postel and others kind him. Now everything seems to be a giant web based application. But there are many thing that you can’t do through a web interfaces. I remember that in earlier years, I was able to connect to NNTP servers running Usenet news. Sharing, commenting and helping other people was granted by netiquete rules. Now seems to be ignored and everyone is going with HTML messages, sometimes with ugly implemented MUAs or NUAs, that uncover the right behavior of these kind of software tools.

Also, I’ve tried using Google Groups few days, but there I can’t sing my messages through GnuPG. The same happens on my Gmail Account. I hate the HTML messages, everything seems to be an unordered soup of html tags from many people as the mail has been replied or forwarded the original message. You loose levels of quotes and it’s hard to understand the unclear messages in a tag soup stack.

I prefer plain text messages, more sane and clear to read.

> I am trying to test if a character gets into an integer field and
> found no solution. Even just a single character has no way to test
> when the field is an int.

First of all, all input is done in the form of characters.
The thing is that some sequences of characters can be interpreted as
representing an integer and some can't.

For me is more clear the replies for each paragraph, than reading the message at the top of the original message, it the real sense of a conversation rather than a competition to get known who has the last word and better style. You can get really loosed on the conversation if you try to read a really old message and sometimes, if you have some kind of ordered notes somewhere, you can store a complete thread in a single message with the complete conversation without loosing sense of the topic that involves the message.

Some forums are able to quote previous messages. But if my Internet connection fails — here in Chile is common to get a failing connection from any ISP, because most of them s**ks — I will not be able to read offline the messages I want.

Most people now think that Internet it’s about Web Sites and Instant Messaging — aka Messenger, Google Talk and Yahoo! IM — and don’t know other kind of services such as NNTP, IRC or Telnet and everything seems to fulfilled of advertising messages. Sometimes I think that the netiquete is completely loosed lost and nobody is making some guidance on that to the n00bs that enters the Internet. I frequently see unindented code in some forums and newsgroups, and who owns these messages is praying for help, then I can’t help someone without netiquete criteria.

My current ISP I think is planning to close the NNTP service. The NNTP server that connects me to Usenet isn’t updated and I can’t see none of the groups I was visiting frequently and I’ve been force to pay to access Usenet to another provider. Also I see clear that many messages on the newsgroups are advertising messages.

Instead of creating new specialized services, everything is going to be Web Based and considering how was designed the HTTP protocol, most communications can’t be reached seriously. I just can’t imagine a security advisory announcing a high impact bug though a Web Interface without any proper signature to validate the authenticity…

Copyright © 2008 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

© Daniel Molina Wegener for coder . cl, 2008. | Permalink | 2 comments
Post tags:

Recently I’ve discovered a spyware infecting computers though the weak autoplay implementation.

I was looking for the connections at one notebooks that I use frequently — but many of them I don’t own — and I look a strange connection to some irc ports. Since I don’t enter to IRC servers while I’m under Wintendo, it was completely strange. Using the third party sysinternalls sysinternals tools from Micro$oft, I’ve pointed to the process that were making these strange connections. I’ve examined the processes with procinfo, killed them with the same tool, and moved the files outside of the system, compressed and carried out to my FreeBSD workstation.

C:\WINTENDO\> procinfo -p "\\system32\\explorer.exe" -dk
[16] C:\WINTENDO\system32\explorer.exe
	Base Addr   : 0x7E340000
	Entry Point : 0x00000000
	Image Size  : 53248.00 bytes
[16] Killing process... done!
All actions over 10 done!
C:\WINTENDO\> procinfo -p "\\system32\\ctfmonv.exe" -dk
[12] C:\WINTENDO\system32\ctfmonv.exe
	Base Addr   : 0x75546000
	Entry Point : 0x00345634
	Image Size  : 53248.00 bytes
[12] Killing process... done!
All actions over 9 done!

Inside FreeBSD, I’ve installed a disassembler, and looking at the assembler code, linked libraries, I’ve seen that the spyware/troyan was linked against Visual Basic Runtime Libraries, ugly implementation for a virus. Also, I’ve seen some messages sent to the IRC channel where it connects, some typical signature as:

Welcom to Sun@w0rm.a You are the rOot   sL#>
www.xxxxxx.cl | www.xxxxxx.cl/foro

I’ve tested at least three antiviral solutions. None of them have detected anything, and also the installed antiviral solution have not detected it. Just the McAfee virus research center have detected it as w32/autorun.worm.bo. This means just that the last antiviral solution of some providers can detect it. Imagine how weak is Wintendo and how big is the antivirus business. Then I’ve tried creating security policies under Wintendo, but it didn’t work. Only deactivating the autoplay feature I was able to stop the spyware — Wintendo does not comes with a tool to do that, you must download the TweakUI powertoy.

Now, based on the disassembled code, I know the server, channel and nick that is using this guy. Also, the backdoor creates a file called "c:\file.txt" that is readed by cmd.exe. The commands are given from the IRC chat as messages and the commands output is sent as message back to the attacker. If you have Wintendo XP, you may be asked by the Wintendo Firewall to allow or deny the access to the Internet for both Windows Library and Messenger programs to communicate outside. Since both programs have concurrent names, you will allow them. Check your registry for the Run, RunOnce, RunServices, RunServicesOnce and Startup registry keys for the string values "Messenger" — pointing to "C:\WINTENDO\system32\ctfmonv.exe — and "WinXP", "Windows XP" or "winxp" — pointing to "C:\WINTENDO\system32\explorer.exe" and use procinfo tool to kill the processes pointing to these executable files, then remove the registry entries.

Not because I’ve made it, but procinfo is a nice tool, you can kill a process that have a lock on some DLL that is infected, and then remove the referred DLL, just by running:

C:\WINTENDO\> procinfo -m "\\s345dfg.dll" -dk
[16] C:\WINTENDO\explorer.exe
	Base Addr   : 0x7E340000
	Entry Point : 0x00000000
	Image Size  : 53248.00 bytes
[16] Killing process... done!
All actions over 10 done!

Well, as weak as is Wintendo, I hate to use it… And I ask my self for "how many unknown viruses are infecting computers running Wintendo right now?". Too weak for my taste…

Copyright © 2008 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

© Daniel Molina Wegener for coder . cl, 2008. | Permalink | 2 comments
Post tags:

Today was another development nightmare day, everything seems to be cloaked in wrong events. Me under pressure and Winbloat — call it Micro$oft Windows — fails everywhere I need it working.

In the company where I work we use some tools to validate the source that is given to the clients and coding IDEs to work around languages such as Java and .RETARD — call it .NET if you want — including Eclipse and Visual Studio. Also, there are some proprietary validation tools to use with proprietary structured text file formats out of known standards.

Events related to eclipse were things like loosing library references — jar files — and slow project compiling tasks and non-writable files after file locking actions given by the operating system — do you know I work with Micro$oft Wintendo? — and then a reboot is the only solution — I know the unlocker program, but I don’t have it installed and also I prefer a solution given from the product manufacturer. Well, the project is huge, a lot of lines of code and classes to compile and really can’t imagine a .RETARD project with similar to this, I think that is possible to get a half day compiling a .RETARD project with all those lines of code.

Looking at the proprietary validation tool, from the Yoyodine company, I get "everything is working" messages. Since I know a little about Perl and I’ve prototyped some of my work under Perl — such as acl-user-tools, a small C language project to manage users around a web hosting environment — and, just for fun, some Irssi scripts, such as Irssi Exp. I use terminal based IRC clients, since while I’m working under FreeBSD-CURRENT I need lightweight software.

Here the point turns black. Since Micro$soft Wintendo has an association registry between the file extensions and the script interpreter, I was completely wrong about calling scripts directly from the command line without giving the path to the interpreter under the non-user-friendly Wintendo Command Interpreter known as cmd.exe.

C:\somewhere\in\the\disk > yoyodine-validator.pl < file-to-validate.txt
There isn't problems in the given file

Everything is OK and I’ve sent the software parts to the company client. The response was clear "have you validated the software?". Nothing working in the Wintendo Non-Operating System, and I get this response, since I have lunched in 20 minutes to get software validated and working at time for two weeks and two days, I was hating the non-operating system for a while with the fixed idea of kicking off my workstation.

Looking at the file association registry, the way by I was running the yoyodine-validator.pl isn’t wrong for someone who knows about scripting languages such as Perl. Under *NIX operating systems — call it *BSD or Linux — scripting languages runs using magic strings and file permissions. The magic string isn’t so different from the form "#!/path/to/interpreter" at the beginning of the script and the file permissions are execution permissions to the user that is running the script. Micro$oft Wintendo have a different way to make a script runnable.

I have associated the perl extension and the running statement is:

Since a perl script can have many arguments, the first thing wrong in the calling statement is number of arguments, passing just the first argument — anyone knows if the cmd.exe command line interpreter is well documented anywhere? — and the rest of the argument aren’t present in the calling statement.

If you remember the script was called using I/O redirection, inherited from *NIX systems, and these arguments aren’t passed directly to the interpreter, instead are handled by command interpreter. Since the registry calls the native Wintendo shell — known as Wintendo Explorer — it ignores the input redirection given from the command line. The result, is an input stream completely loosed. Then I think "wintendo command line shell cmd.exe and windows shell explorer.exe aren’t integrated" since you can not pass an input stream from the command line to the program launched from the Wintendo shell. Another non-documented and buggy behavior of this non-operating system.

The solution to work with similar tasks is calling the programs directly from the command line, overriding the cmd.exe pass-through-the-real-shell explorer.exe calling statements. Then we can’t emulate the *NIX magic strings and file permissions to get a script working as a native command. Somewhere I’ve seen a magic string to work with script interpreters, but "where is documented?" and "does the system comes with the proper documentation to work on these kind of tasks?".

C:\path\to\anywhere > C:\path\to\perl.exe yoyodine-script.pl < to-validate.txt

A single line of code changes the behavior of a script program completely. If you ask me, Micro$oft Wintendo is thinked to work with games, word processors and spreadsheets. Wasn’t thinked as *NIX as we see in "Program design in the UNIX© environment" and do not have in any manner a consideration on integration between streams connectivity. If you want to integrate any component of the non-operating system, you must write an Active X object or write similar things — a high-cost implementation for a small task — then I think that Micro$oft Wintendo isn’t an harmoniously developed operating system.

The possible reason about this behavior it’s that cmd.exe is using the ShellExecute system call, instead of using a proper way to handle I/O redirection or piping functions. If I’m true, you can’t expect the right behavior on scripts if your trying to run them under cmd.exe by using registry associations on the scripts files. Then, you must research about possible magic strings in batch commands and use the script under these terms. Meanwhile isn’t a well documented way to use language interpreters under windows, you will not be able to run scripts directly…

Copyright © 2008 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

© Daniel Molina Wegener for coder . cl, 2008. | Permalink | No comment
Post tags:

Mandatory development tools in any project are bug tracking systems and version control systems. Commercial side of software developemnt knows bug tracking systems as ticket systems, but don’t have another meaning. Who says that isn’t making any mistake on software development is wrong. We have clear examples on huge companies with known bugs issues.

The Dark Side

From the Microsoft NON-WORKING Knewledege Base we get a message like this.

As a result, Windows Explorer does not allow you to view or change the Read-only or System attributes of folders. When a folder has the Read-Only attribute set it causes Explorer to request the Desktop.ini of that folder to see if any special folder settings need to be set. It has been seen where if a network share that has a large amount of folders set to Read-only, it can cause Explorer to take longer then what is expected to render the contents of that share while it waits on the retrieval of the Desktop.ini files.

Obviously, this message tell us about a known bug — if you work with software that isn’t enable to write forcibly the files, you will not be able to save your work — but hidding by commercial targets. Seems like Micro$osft is making perfect software, you can’t report a bug anywhere. The worst philosphy on software developemnt. Also, the knowledge base is closed to the users — nobody can contribute with it.

Also, if I try to report a bug on Micro$oft products, and I search where to submit the problem, I get poor results. I ask if Micro$osft can handle an Open Source Model bug reporting system, how many errors would be reported by the users, remembering that the common Windows user have no knowledge on how to submit a probem report because they think that everything with their systems is OK.

The Force

In FOSS software, we get elegant ways to report bugs. We have have the direct feedback from the developers. But we must do the proper bug report.

Known ways to report a bug is using gdb backtraces and bug unit testing. A well betatester know how to compile the code and store the debugging symbols of the tested software — that’s the advanced way, a non-interrumping-performance way to get the debugging version — and the other way is pytting directly the debugging symbols in the software:

# the same flags applies to CPPFLAGS or CXXFLAGS
# configuring with debugging flags
env CFLAGS="-g3" ./configure --the-configure-options

# configuring with debugging and profiling flags
env CFLAGS="-g3" ./configure --the-configure-options

# do "man env" if you don't know env(1)

The, we begin our software testing, if we get a core dump, we can get the origin of the problem. After getting core dump images, we must set out core limit with ulimit built-in command — this command is common to the most shells available.

# start our backtrace
gdb /path/to/our/program /path/to/the/core.image

# then, inside gdb we get the backtrace by using the backtrace
(gdb) backtrace

A common way to get backtraces and report bugs to the FOSS developers. Then, we reach the Bug Tracking Systems and Issue Tracking Systems. The intersting part of this, is that the language used to report bugs is almost right, the common FOSS user knows how to describe the bug, from what was doing the user to problem it self — when the user have a well knowledege on what is reporing.

Keeping the software controlled is a hard task. Now we have a lot of tools on Version Control, Issue Tracking and Bug Reporting. Also the mailing lists helps a lot — the communication way of most FOSS projects — on solving problems as teams.

Every FOSS project has a bug report writing guidelines, the language must be clear and consistent, also can have attached the propper patch. The real nice thing of this: if the bug report is clear and points to the real problem, you quickly will get feedback from the developers — depending on how seriously is it. On commercial software, is hard to get a core image and then report a bug correctly. Some Micro$oft products are sending these images — recently added to their products — but you need to mount a development environment before.

I know people aged from with ages between 14 to 16 years old writing good PR’s or bug reports, I belive that they will be good FOSS software writters too, someday. They know the FOSS rules, such as RTFM. The FOSS community appears to be more motivated and dedicated to the software development than closed software developers. Every Windows user, aged from 14 to 16 years that I know, is always thinking on games, loosing time, then are asking about how to remove certaing virus from his computer or how to overclock his machine. I’ve seen some of these guys saying I will be a computer engineer, but not worried on what is learning really. How many hours doing nothing?. I disagree on games for younglins, I agree only if they have trained correctly xD.

Copyright © 2008 Daniel Molina Wegener
Atribución-No Comercial-Sin Derivadas 2.0 Chile

© Daniel Molina Wegener for coder . cl, 2008. | Permalink | One comment
Post tags: