Posts

Showing posts from March, 2008

detecting snake oil

Image
working for a bank grants me a privilege to work with a lot of partners in security-related projects. it seems that in most people mind, bank is equal to security, so they tend to set a very high focus on security (which is good) whenever they have something to present to me. all of the partners i've been working with for the last few years try very hard to prove that their solutions, their products, their networks...are secure.

some of them are pretty awesome, working with them sometimes give me a lot of hints to do the right thing (TM) in security. unfortunately, those are rare. in other words, most are clueless about security.

here are some hints that maybe helpful if you want to detect those snake-oil companies:

1. security-clueless often talks restlessly about stuff like firewall, ids, and anti-ddos (some even tell me proudly that their firewalls can strike back to the sources of the ddos attack;)). with all due respect to networking gurus, i have to say it seems that a lot of …

Cac cau hoi thuong gap ve ban quyen - Copyright FAQ

Thời gian gần đây ở VN liên tục xảy ra các sự kiện có liên quan đến vấn đề bản quyền. Chẳng hạn như việc hiệp hội Công nghiệp ghi âm quốc tế (IFPI) cảnh báo Hiệp hội Công nghiệp ghi âm VN (RIAV) về tình trạng vi phạm bản quyền nghiêm trọng của một số website tìm kiếm ở VN. Hay như mới đây, gia đình cố nhạc sĩ Trịnh Công Sơn yêu cầu những tổ chức sử dụng nhạc của Trịnh Công Sơn phải trả tiền tác quyền.

Theo dõi diễn biến của các sự kiện này, cũng như phản ứng của các bên liên quan và người ngoài, tôi nhận thấy một bộ phận lớn người dân VN còn rất mù mờ về luật bản quyền và các vấn đề liên quan.

Âu cũng dễ hiểu, bởi mặc dù được nhắc đến nhiều trên các phương tiện truyền thông, nhưng cho đến nay, theo sự hiểu biết của tôi, có rất ít các tài liệu tiếng Việt giới thiệu đầy đủ và rõ ràng về luật bản quyền. Và nếu có, các tài liệu như thế cũng thường được viết rất dài, với rất nhiều từ chuyên môn khó hiểu.

Tôi nghĩ đây là một trong những lý do khiến cho sự hiểu biết của người dân VN về pháp luậ…

chick quick facts

Image
1. pretty chick is not brainy.

2. pretty-and-brainy chick doesn't know how to use the Internet.

3. pretty-brainy-and-know-how-to-be-online chick is lesbian.

4. pretty-brainy-know-how-to-be-online-and-not-lesbian chick got logicaholic symptom.

5. pretty-brainy-know-how-to-be-online-neither-lesbian-nor-logicaholic chick turns out very secure, not easy to hack.

6. pretty-brainy-know-how-to-be-online-either-lesbian-or-logicaholic-and-easy-to-hack chick is rootkited already.

baamboo

Image
It seems that Baamboo, a very popular music search engine in VN, uses SQL full text search. This discovery makes me pretty surprised since all of the people I know use Lucene as soon as they want to create a search engine.

Lucene is very good at what it does. It’s indexing and storage performance is second to none. In fact, it’s so fast that a lot of companies use it as a quick-and-dirty storage dumping ground for raw data, knowing that it will be much faster and more scalable than a relational database. Why not take advantage of this incredible power and take one more item off of your database’s back? This is all not to mention the fact that a Lucene index query is probably a lot faster than an SQL query grabbing data from a Microsoft SQL Server full-text index.

If I were the designer of Baamboo, I'd use, yeah you got it already, Lucene and its sub-projects to do searching. A quick draft architecture should be a combination of Nutch and Solr, i.e. using Nutch to crawl the Intern…

please help testing my application

If you don't want to know what I'm doing, just go to http://ec2-72-44-40-221.z-2.compute-1.amazonaws.com/, and do some random searches. That's enough to help me ;). Otherwise, read more.

I've been doing some explorations of thrudb which is a new document-oriented database service. I want to see how good thrudb perform with large dataset so I feed it with DMOZ catalog which contains information about 4,600,000 websites in all other world.

I also write a small django application which accepts a keyword and query thrudb to get the relevant links to it. You can check it out at http://ec2-72-44-40-221.z-2.compute-1.amazonaws.com/.

As you use the application, you may notice that the time thrudoc takes for each query is much larger than thrudex. This is because, for the sake of simplicity, I use the disk backend for thrudoc and, as both Ross and Jake said, disk backend is not suitable for a large dataset. I'm going to load the same dataset to other backends such as mysql o…

Scary attacks

I'd never want to be targeted by people who are well funded, highly skilled and motivated like this:
Groups supporting freedom of Tibet have been attacked with highly targeted and technically advanced attacks.

Quoting an Asia Free Press news report: "AFP received an email Tuesday from someone claiming to be in Denmark, who had attached a file they said were pictures of Tibetans shot by the Chinese army. When AFP tried to open the attachment, a virus warning appeared."

So...what do these attacks look like in practice? Lets take an example. Here's an email that was mailed to a pro-Tibet mailing list three days ago. It looked like it was coming from the Unrepresented Nations and Peoples Organization (UNPO). However, the email headers were forged and the mail was coming from somewhere else altogether.

However, this is not a normal PDF document. It contains a modified version of a PDF-Encode vulnerability to exploit Adobe Acrobat when the document is opened.

The exploit silen…

more xkcd comics

Image
truth: nothing is more relaxing than reading xkcd comics on rainny sunday night. oh maybe sex does.

code talkers


reponsible behavior


network




alice and bob

Image
I've already read this xkcd comic many times but still can't keep not rofl when reading it again, esp. the last scene:

By the way, there is also the Alice and Bob rap by “computer science gansta rapper” MC Plus+.Alice and BobAlice is sending her message to Bob
Protecting that transmission is crypto’s job
Without the help of our good friend Trent
It’s hard to get that secret message sentWork tries to deposit a check of your salary
But with no crypto it’ll be changed by Mallory
You think no one will see what it is you believe
But you should never forget there’s always an Eve(Chorus)‘Cause I’m encrypting sh*t like every single day
Sending data across the network in a safe way
Protecting messages to make my pay
If you hack me, you’re guilty under DMCADES is wrong if you listen to NIST
Double DES ain’t no better, man, that got dissed
Twofish for AES that was Schneier’s wish
Like a shot from the key, Rijndael made the swishBut Blowfish is still the fastest in the land
And Bruce used its fame to m…

donotreply.com

From Slashdot:
The Washington Post's Security Fix blog today features a funny but scary interview with a guy in Seattle who owns the domain name donotreply.com.

Apparently, everyone from major US banks to the Transportation Security Administration to contractors in Iraq use some variation on the address in the "From:" field of all e-mails sent out, with the result that bounced e-mails go to the owner of donotreply.com.

'With the exception of extreme cases like those mentioned above, Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails.
I'm going to register noreply|no-reply|notreply|donotreply at some popular email providers in VN to see what may appear in my inbox ;).

Running Thrudb On Amazon EC2

In the last post I described a step-by-step guide to install Thrudb on your Ubuntu box. If you still can't manage to got it, keep reading, this post may make you happy ;).

1. AMI information If you are on Amazon EC2, you may want to check out these Thrudb AMIs (the OS is Ubuntu 7.10): + i386: ami-c71efbae + x86_64: ami-dc1efbb5 Note: guys at aideRSS had released some Thrudb AMIs but they used the old Thrudb source though. My AMIs use the latest version of Thrudb. 2. Start your instance Please consult Amazon EC2 documentation for how to start your instance. BTW, I highly recommend EC2 Firefox UI which is very easy to use. 3. Start Thrudb Once you login into your EC2 instance, run these commands to start thrudoc and thrudex: # cd /root/buildthrudb/thrudb/tutorial
# make start
Just ignore any output or warning. Use nestat to verify if thrudoc and thrudex has been started: # netstat -npaut
You should see lt-thrudoc and lt-thrudex are listening on 0.0.0.0:11291 and 0.0.0.0:11299 respect…

Thrudb on Ubuntu - installation guide

I've been playing with Thrudb project for the last several days. Basically Thrudb is a set of simple services built on top of Facebook’s Thrift framework that provides indexing and document storage services for building and scaling websites. Its purpose is to offer web developers flexible, fast and easy-to-use services that can enhance or replace traditional data storage and access layers. It’ is also an alternative to Amazon’s recently announced SimpleDB which Jake, Thrudb's creator, has provided some commentary on.

Below are step-by-step instructions to go from zero to running Thrudb on your Ubuntu box. It's mostly based on the excellent guide from YourSharade with some small modifications to meet the current Thrudb source code.
1. Initial Setup Alright, we’re ready to start installing. Most of the dependencies are available with apt-get, but some we’ll have to build from source. The first thing we need for thrudb is thrift, which itself has quite a few dependencies. Fi…

DDo.c sa'ch

Tôi luôn nghi ngờ những gì sách viết. Tôi chưa bao giờ tin mấy ông tác giả viết sách. Thiệt ra, không riêng gì sách, tôi thường nghi ngờ mọi thứ.

Những cuốn sách viết càng có vẻ hay, tôi càng nghi ngờ, phải kiểm tra lại bằng thực tế (cũng may đa số sách mà tôi đọc đều đúng và có thể áp dụng vào cuộc sống). Nhưng đặc biệt, có 2 loại sách mà tôi luôn đặt trong diện "cực kỳ đáng nghi".

Thứ nhất là loại sách "phát triển bản thân". Chúng phổ biến quá trời. Người người đọc "bí mật của may mắn", nhà nhà đọc "cho đi là còn mãi", rồi ôi thôi nào là "7 thói quen để thành đạt", "biến ước mơ thành hiện thực", "thay thái độ, đổi cuộc đời"...(xem danh sách đầy đủ ở đây, lưu ý là những cuốn sách này không phải dành cho trẻ con).

Tôi gọi những cuốn sách này là những cuốn "sách sướng", bởi đọc chúng rất sướng, thấy kích thích lắm, giống như tìm ra được chân lý, nhưng rốt cuộc thì chẳng giúp ích được gì cho cuộc sống…

La.i Linux vs Windows

Tôi thấy tội nghiệp cho những con người suy nghĩ như thế này:
Điều cuối cùng tôi thích sử dụng Linux là tôi không muốn phụ thuộc vào Microsoft.

Chả có nghĩa lý gì, không phụ thuộc vào Microsoft thì phụ thuộc vào Linux. Chẳng có gì khác nhau. Thậm chí Microsoft chỉ có 1, còn Linux là cả một đống người chẳng biết ai ra ai. Thực ra tôi rất ghét sự lệ thuộc của Linux. Với Microsoft là mối quan hệ sòng phẳng, tôi trả tiền anh cung cấp sản phẩm. Với mã nguồn mở nhiều lúc để down phần mềm tôi phải cám ơn, phải xin phép cái UN gì đó. Thấy có vẻ mình phải mang ơn người ta quá. Mà mang ơn cũng đúng vì người ta làm cho mình xài miễn phí. Nhưng quả thật, nếu không quá bắt buộc thì cũng không thích phải mang ơn kiểu đó.Sự thật là tôi thấy tội nghiệp cho tất cả những ai chưa biết đến những điều tuyệt vời mà Linux nói riêng và thế giới, cộng đồng nguồn mở, tự do nói chung, đã cung cấp cho nhân loại.

Nếu là tôi cách đây một hai năm, tôi đã nhào vào tranh luận, cố gắng "khai sáng" cho nhữ…