thoughts.on.code

Almost every day I go through the spam filter for this blog. Invariably there are dozens if not hundreds of comments that I still need to at least skim (I once found a post from a colleague stuck in there, so I take the extra step just in case it happens again).

One thing I’ve been noticing is small messages that contain two or three sets of five to ten digits (which stand out from the C1Al1S - PR0N PR0N PR0N LINK LINK LINK type ads). These intrigue me, as there is a generated email address (typical for spam), usually without any, or at most one links, one of the big things that the spam filters check.

I have been speculating since I first started getting these comments that something a little more nefarious than typical spam was happening here. It seemed to me that those series of numbers were either a key to something or a pointer to something… but definitely not spam in the usual sense. So, after a while I started ignoring them, deleting them with all the other spam.

But for some reason today I started thinking about those messages again, and realized what an ingenious method of communication this could be. With many blogs having RSS feeds available for the comments, anyone could be watching any number of blogs for a post with the right series of digits in it, or right passage from the right nick. This makes me think about the spycraft stories about Solviet and US agents during the cold war. Things like putting a smudge of dirt on the lower left corner of a particular street sign to indicate if a meeting was necessary.

So, a simplistic protocol for this type of communication:

Pre-agreed upon items:

nick(s), blog(s), and key phrase(s) or digit series (could be progressive)

Initiating the communication:

One party writes a blog comment on one (or more) of the select blogs, using a preselected nick and keyphrase, then either putting some ciphered data into the message, or possibly a pointer or flag of some kind.

Receiving the communication:

The other party watches the blog for a message from the appropriate nick, with a correct keyphrase in it. When one is found it takes and deciphers the attached message.

This is form of communication could be used not only on blogs, but also in forums, though it is a little harder technically to do (but not conceptually), or any other open site on the web… Flickr and Steganography anyone?

I am sure that cryptographic researchers have been aware of this type of communication potential since the advent of the intarwebs, but it something I had not thought of before, and it fascinates me how open the communication pathways truly are. I am even more intrigued when I think about the NSA probably having technology available to detect this type of stuff, and the amount of work THAT would have to do.

One of my favorite reads is Bruce Schneier’s Crypto-Gram, a monthly newsletter revolving around the security/cryptography world. And of that newsletter, Bruce’s “Dog House” article is consistantly my favorite. It always makes me simultaneously laugh in amusement of the stupidity on display, and shake my head in disgust at the con-artistry/lack of integrity.

This month it is Krypto’s, who’s site it absolutely hilarious. I am not sure I understood all of the words in the broken-english machine translation from German to English, but what I did get: they are full of crap… and Hilarious!

Bruce has another very interesting post about the reporting of security bugs/exploits to the authorities. [linky]

I wonder if it would be possible to start a site that accepted anonymous tips from people, and before publishing them, reporting them to the appropriate entities. Of course, there would be the potential for false posts, but if it were an agreed upon (ha!) site, by both the authorities and the security community, there would at least be a little more freedom to get that information to the right people.

Really, it is in everyone’s best interests to have an anonymous system for reporting these things. The company shouldn’t care who sends this stuff in, as long as it is valid pproblem and they are notified of it. Of course, most companies take an entirely different view of that.

Yesterday I caught my son, Jack, hacking my computer. I had just turned off my laptop, closed the case and was getting something from the next room. This gave Jack ample time to scurry onto the couch, open my laptop and start looking intently at it. This is where I first noticed what he was doing.

“Meh, its turned off. He can’t hurt anything.”

“BEEP”.

“??? Um, meh. It’ll go through GRUB and land on the GDM login screen. He can’t hurt anything.” I move a little closer anyways…
“Jack what are you up to?”

The little guy had somehow gotten Root access to my Laptop!!! This is bad for two reasons:

1.) I have a security hole that I was not aware of, and
2.) I have a natural on my hands…

My wife actually snapped these pictures the day before yesterday.  Wonder what he did to my machine then?

I’m not talking about the HTTP GET problem… that has been well described and has a number of solutions.   I’m talking more about the disruptive nature of the web applications being developed and pushed out, with new things coming out every day.

Now, I am just was just as awe inpired with Google Maps as the next person, and too am still developing with and researching the use of AJAX in numerous applications, some for my current client, and some for my side projects.  I really like the useability and intuitiveness that is enabled by only a few web technologies, such as Flex, OpenLazlo, Flash, and last and probably most easily attained AJAX.
No, I am more concerned about the implications of having these technologies hosted for me.  Should I trust Writely?  or ajaxWrite?  Why? I realize that both of these, and most other AJAX apps allow you to store the data on your computer, but at some point, it is on the Web.  Whats that you say? Google bought Writely, and they believe in “do no evil“?  Well, maybe so, but I am beginning to think of Google like it is the Microsoft of the Intar-web. My guess is Google will have a Web-Office solution before Microsoft’s next Office release, though the quality of said solution will most likely be the most liberal use of word “Beta” we have seen since Google Finance.
In reality, I will probably use these tools more than the average web user.  But it begs an interesting question that has really been around since PCs became mainstream:  Do we trust our software providers?  I am a developer, and I used to feel comfortable with software, but as I become more versed in what “business” seems to mean in this Enron and WorldCom informed world, I have started to question wether that is a good idea or not.

I think the best way to look at it is this:  if you feel that the content of what you are putting into these applications is something you would not want to be seen by others without your knowledge, then do not use them.  Keep using your local software.  And if you are severly paranoid, unplug from the ‘Net and hide in your tinfoil-wallpapered closet.
Of course, this advice (if you can call it that) can be used in relation to any web technology.  The specific problem with AJAX enabled apps is that they pushing what can be done further than ever before.
And hopefully next week I can introduce you to my latest AJAX-inspired application.  But a word of warning: it will be Beta!