Microsoft Wants to Spy on You

May 22, 2007 · by Scott Fradkin

A couple of short articles have surfaced recently outlining what Microsoft wants to do with web browsing in the future. The first, http://www.newscientisttech.com/article.ns?id=mg19426046.400&feedId=being-human_rss20, describes how Microsoft wants to be able to identify everyone browsing on the web. This would be a terrible blow to privacy. The greatest thing about the Internet is the ability to view anything you want with relative anonymity. Now, granted, you’re identifiable via your IP address, but you can get around this by using anonymizer services. Fortunately, all of the ways to gather information that are listed in the article can be bypassed. It mentions that Microsoft is thinking about creating a new cookie program to record pages visited, using your browser’s cache, or using proxy server logs to retrieve browsing data.

Sounds like spyware to me. Users don’t put up with spyware secretly grabbing information off of their computers, and I hope they won’t put up with this either. The easiest way around this is to not use Windows as an operating system. All of these sniffing programs or browser cache reading programs will have to be embedded in Windows or Internet Explorer. The proxy server is a little trickier, but I’d be willing to guess that the vast majority of proxy servers worldwide run on UNIX and not Windows. Even if you don’t use a Windows operating system or don’t use Internet Explorer, I’d still recommend that everybody change their privacy settings on their browser to always ask for acceptance when attempting to set a cookie. I think most non-techie people would be amazed at how many cookies are set when browing the web.

The second interesting article, http://www.theinquirer.net/default.aspx?article=39662, describes a new “Identity Layer” for the Internet. This in and of itself is a great idea. Being able to know with the click of a mouse button the identity of a person or a website and being able to verify that identity is a good thing. The interesting thing about this is that Microsoft wants to go it alone. It’s intriguing that they want to create the infrastructure and specifications surrounding this technology. There are efforts in place that are working on such a technology (Liberty Alliance, http://www.projectliberty.org/) in a much more open fashion than Microsoft will ever attempt.

Once again, it seems like this is just a way to “own” more of the Internet and more of the data on everyone. It’s great to be able to verify identities, but it has to be done with an open standard for transparency purposes. It’s hard to trust an authority when that authority has a poor track record when dealing with personal privacy. Unfortunately, Microsoft has so much clout and market share that they seem to be able to muscle their way into everything they take on.

I challenge everybody to be more vigilant when browsing and to think about how their data is used online. Things won’t change unless everybody is aware of what happens to their data.

Filed in: Developer Blog Comments (0)privacy

And it begins…

May 21, 2007 · by Josh

I think the title of this blog posting is more than appropriate. It summarizes quite clearly that something new is on its way or has recently arrived. For me this week has been full of beginnings and firsts. One you may have guessed is the creation of my blog here at QWANtify. It is something I have been meaning to do for ohhhhh… about 6 months that just has not seemed to materialize. So what is different now, why create my blog now. Well, I have had an opportunity to go to an event that gave me something to write about. I went to RailsConf 2007. In fact it ended only 5 hours ago (it took that long to get the wireless in my room again ) and it was great. Since this is my first posting, however, I am not going to go into the details of the conference now. I will leave that for my following posts. Instead I will give you a little bit of an intro to me.

My name is Josh Swan and I am a software developer for a company in Madison, WI called QWANtify (that bit may be a bit obvious from my blogs name and url). I have been working in Java for around 5 years professionally but have a wider array of skills that just Java. For example, right now I am functioning more as a web service architect at work and outside of work I am building Ruby on Rails projects. Interests I have include agile development and project management practices, Ruby on Rails, Test First Development, application integration technologies, and problem solving in general. I’m the kind of person that if I’m trying to solve something I will have a hard time going to bed at night if I can’t figure out a solution. I also tend to be a bit of a jokester too, just to warn you. I like to answer questions and help people when I can, so feel free to email me at josh.swan@QWANtify.com or post comments to this blog.

Now that we have that out of the way. Here is a list of firsts that I experienced by going to Rails 2007.

• Rode on a plane for the first time in 12 years. I found this was much more involved when you have to plan the flights yourself. Last time I was in high school.
• Used a taxi for the first time. Yes I know this is a bit strange but keep in mind I grew up in a town with the population of around 650 people.
• Rode on a train for the first time. The TriMet MAX public transportation system in Portland Oregon was great since the airport, my hotel, and the Oregon Convention Center (where RailsConf 2007 was held) were all on it. Madison Wisconsin has a lack of rail transport.
• Attended my first Rails conference. The conference had lots of useful information and all of the key people from the Rails community were present. I thought it was put together really well.
• On the last night of the conference my friends and I went to a nice restaurant down town for dinner. Besides being one of the nicer restaurants I’ve been to, it had the best King Crab Legs and Steak I’ve ever had.

Filed in: Developer Blog Comments (0)

Apparently Linux has Ceased to Exist and I didn’t Notice

May 14, 2007 · by Scott Fradkin

Microsoft’s Platform Strategy Director and head of Microsoft’s Linux Labs, Bill Hilf, made some rather interesting comments recently about Linux. He’s proclaiming that Linux has ceased to exist in 2007 and that the open source movement is dead because many of the developers actually have paying jobs to work on Linux programs. He went on to mention that the rise of Linux had nothing to do with Linux itself, but with the rise of Apache, MySQL, and PHP and the usage of them on the Linux platform. He described those three stalwart components of many web servers as the “Visual Basic of open source”. Oh yeah… IBM, his former employer, also decided to start a standards war by promoting the Open Document Format because they wanted a part of the Office market and people just don’t want the ODF.

Wow! I don’t even know where to begin on this. I don’t know if this is just the standard FUD that comes out of the Microsoft camp, or if Mr. Hilf really believes what he’s saying, but it’s certainly absurd on many levels.

I can start by saying that I’m pretty sure that Linux still exists right now. Gentoo just released the 2007 version of their base installation. My laptop is running Linux just fine. It hasn’t fallen apart. I’m writing this inside version 2.2 of OpenOffice, which still works and supports ODF as its default document format. Things are good as far as I can tell.

Even though Linux isn’t quite ready for the desktop for the average Windows or MacOS user, it has made great strides. The real power is in using Linux as a server platform. It’s certainly not going anywhere anytime soon. On the server the LAMP stack has worked quite well. It’s possible that the AMP combination had the side effect of raising the awareness of Linux, but my guess is that’s more due to performance on Linux vs Windows than anything else. Also, I’m surprised that Mr. Hilf would compare anything to Visual Basic since that’s less of a “real” programming language than PHP (obligatory VB dig).

I’m not sure why people wouldn’t want the Open Document Format. What it does is create an open standard for storing various document data that has no vendor lock-in associated with it. It will force office software vendors to really compete with their products rather than relying on their locked-in format to keep a person from switching to a different office product.

I don’t see it as a bad thing that programmers are getting paid to write Linux and open source software. They need to make a living, too. If a company wants to sponsor the creation of an open source product, that’s great. It makes it even more likely that the product will continue to be improved upon than if the product was created by a programmer who was in between jobs or creating the product in his or her spare time.

So, in deference to Microsoft and Mr. Hilf: I’m sorry, but I don’t think that Linux is going to go away anytime soon.

Here’s a link to an article (PHP, no less) about this, and another link to the Slashdot story.
http://www.bangkokpost.com/090507_Database/09May2007_data05.php
http://linux.slashdot.org/article.pl?sid=07/05/14/2038250

Filed in: Developer Blog Comments (0)linux

Scheming on a Thing

May 9, 2007 · by Scott Fradkin

I’ve decided that I really need to be more multilingual. Not in the sense that I should speak another verbal language, though that would be a really great idea, but in the programming language sense.

All of the languages that I’ve learned in the past are standard procedural, object-oriented languages. There is a whole other realm of languages which I hadn’t really taken a look at before, functional programming languages. That’s one of the things that really stands out about Ruby. Ruby has a wide range of uses, but the most noticeable thing about it is that even though you can use it as an object-oriented language, it contains a lot of functional programming paradigms.

Functional programming is a bit strange to wrap your head around if you’ve never really used it before. The entire structure is based upon Lambda Calculus which seems to be nearly impossible to understand unless you’ve got a degree in mathematics. Lambda Calculus basically says that you can represent everything as a function that takes one argument and that argument can be another function. There are ways to represent the natural numbers, standard arithmetic, and even logic functions via Lambda Calculus. It’s pretty heady material to read.

I got curious and started taking a look at Scheme. Scheme is a derivative of Lisp, which makes it one of the “parentheses” languages. Lots and lots of them. It’s no worse than having curly braces everywhere, really. Functions are first class objects. It uses stack notation to perform arithmetic, so there is no operator precedence. It’s a really interesting language. I haven’t really used it for anything yet. I’m still looking through the language specs trying to figure out everything it can do. I’m sure I’ll have more things to say about it in the future. Until then, I’m just going to have some fun with it.

Filed in: Developer Blog Comments (1)languages

MD5 Checksums

April 5, 2007 · by Scott Fradkin

I recall a few weeks ago, one of my wife’s brothers was visiting and installing a piece of software on her computer. I casually mentioned as he was downloading that he should grab the MD5 checksum so that he could compare it against the downloaded file. He said that he didn’t even know what that was.

Verifying a checksum is a fairly important step in validating that a file that you have downloaded is definitely the file you expect it to be.

Here’s how it works:

• The person with a file for download will use an MD5 utility to generate an MD5 hash.
• The file and the text of the hash will be put onto a server for download.
• The downloader downloads the file to his or her computer.
• The downloader uses an MD5 utility to generate an MD5 hash of the downloaded file.
• The downloader compares his or her results to the posted MD5 hash. If they are the same, then the file is legitimate. If the hashes are different, the downloader should not open the file.

Of course, this does mean that there has to be a certain level of trust between the downloader and the website from which the file is downloaded. Files and checksums can be replaced to look legitimate when they may include viruses or other worms in them.

On a Linux system the utility md5sum is usually installed by default. For Windows systems there are various third party utilities that can be downloaded to calculate hashes. One is called digestIT and can be found at http://www.kennethballard.com/modules/xproject/index.php?op=viewSummary&pid=2. The md5sum command line utility has a Windows version which can be found at one of a number of links listed on OpenOffice.org’s website http://www.openoffice.org/dev_docs/using_md5sums.html.

The output of an MD5 hash is a 32 byte hexidecimal number which can be a little tough to manually inspect, but the Windows programs usually do the comparison for you. Some websites have started using SHA1 hashes (which generate 40 byte hexidecimal numbers) instead since SHA1 is more secure and harder to find hash collisions for. Many of the Windows programs will also perform hashing for this and other algorithms. In Linux, the OpenSSL program can calculate many different hashes.

The actual algorithms aren’t too complex, but the discussion takes up a fair amount of space. I may post about those at a later time.

I’d encourage everyone to use the checksums when they are available. Even if you’re downloading from a trustworthy website, you never know if the files have been surreptitiously replaced. It’s a good security habit to get into.

Filed in: Developer Blog Comments (0)

Proving Your Identity

March 17, 2007 · by Scott Fradkin

Email is a wonderful communication tool.  It’s also a wonderful way to spam people, phish for their personal information, and to be a general nuisance.  What if instead of having spam filters to filter out all the unwanted email, all you have to do is filter out any email messages for which the sender can’t prove his or her identity?

I can send email to anyone anywhere in the world and claim that I’m someone I’m not.  It’s really not that hard to falsify email message headers and even the TCP/IP packet headers to look like the data is coming from someone else.  This should be a huge red flag to everyone who uses email, but for some reason it’s usually overlooked.

There is a decent solution to this problem.  There is an open standard for PGP (Pretty Good Privacy) called OpenPGP (the open source GNU implementation is called GnuPG or GPG).  If you’re interested in all the gory details, the RFC is available [RFC 2440]. Many people have heard of PGP, many have not.  Of those that have heard of PGP many may not know exactly what PGP does for you or how it works.

So, what does PGP actually do?  PGP allows a user to digitally sign and/or encrypt and decrypt data.  Sounds pretty simple.  The standard allows a user to generate a public/private key-pair with which pieces of data can be digitally signed or encrypted.  It allows for a bunch of different key generation, hashing, and encryption algorithms.

To start with a user needs to generate a key-pair.  The key (no pun intended) to generating a nice and secure private key is to make sure that enough random entropy is created during the key generation and that a strong passphrase is used.  Key generation algorithms use the random byte generator of the underlying operating system to generate sufficiently secure keys.  The operating system usually generates securely random bytes by sampling data from the various system interrupts (you can find the source code from the random byte generator in the Linux kernel fairly easily).  This means that the more typing and mouse movements are performed during key generation, the better the random bytes should be.  A strong passphrase is necessary so that in the event that the private key is compromised, it will be exceedingly difficult for someone to guess or crack the passphrase so they can emulate your digital identity.

After the key-pair is generated, the public key should be exported into one of the OpenPGP keyservers.  The main keyserver can be found at http://keyserver.veridis.com:11371/.  It doesn’t really matter too much which keyserver the key is exported to.  All of the OpenPGP keyservers replicate with one another.  By exporting the public key, it will be available to anyone who wishes to import that key to validate a signature or identity.

Now that everything is setup, things can be encrypted and signed!  Email is probably the thing that PGP is used for the most.  By signing email messages with your private key, a user who receives the email from you can import your public key and use that to verify that the email was actually signed by you.  Encrypting email goes one step further.  By encrypting an email with the recipient’s public key and then signing the entire encrypted email with your private key, the recipient is assured that the email they receive came from you and could not be viewed by anyone else since they do not have the private key necessary to decrypt the message.

This is all well and good, but how do you prove that your public key really is yours?  The OpenPGP standard includes a trust model.  The GNU Privacy Guard handbook calls this trust model the “web of trust”.  Everybody is allowed to sign any public key.  Generally, you would only want to sign someone’s public key if you knew them personally.  When you import a public key you can view the signatures on that key.  It’s possible that someone you know has signed keys that you haven’t signed and when you notice this you may want to sign that key also.  Eventually, this model of key signatures should build a web of keys that you have signed either because you trust one of the signers either directly or indirectly.  To go along with this, you can privately set various trust levels on each public key so that when you view emails signed with someone’s key, you will know to what level you trust that signature.

The largest problem with the adoption of at the very least digitally signing email messages is that a lot of email programs do not come with PGP/GPG support built in.  I currently use Mozilla Thunderbird as my email program with the Enigmail OpenPGP plugin.  Underneath the covers Enigmail uses GPG.  I’ve been trying to get into the habit of signing my email most of the time.  Even though most people don’t use OpenPGP aware email programs, I’m hoping that this raises awareness of the necessity to verify that the email that we receive everyday is really being sent by the person claiming to have sent it.  I’d also advocate for encrypting messages, but that requires the recipient to also have an OpenPGP key-pair.

One thing that’s left in the background of all this is that a PGP key can also be used to encrypt and decrypt local data.  If you have some files on your harddrive that you want to be secured, go ahead and encrypt them using your own public key.  The files cannot be decrypted unless someone has both your corresponding private key and your passphrase.

In a nutshell, digitally signing email is a good thing.  It helps to validate the sender of the email.  The OpenPGP standard has a nice trust framework built in to help people decide how much they trust the identity of the sender.  Encrypting email and signing it provides even more protection of the contents of the message.

Below are some extra resources about OpenPGP.

• RFC 2440
• OpenPGP Alliance
• GNU Privacy Guard
• Enigmail
• PGP Corporation

Filed in: Developer Blog Comments (0)

Barcamp Madison 2007

March 4, 2007 · by Scott Fradkin

I made it to the Barcamp on Saturday and it was great.  I really wish that I would have been able to stay longer, but I was only able to attend on Saturday afternoon.

From the beginning, the Barcamp embraced the Wiki concept.  All planning information was kept updated on the Barcamp Madison Wiki page and it continued to be used throughout the event.  When checking in, one of the people manning the registration desk was entering attendees names into the Wiki along with sessions to let everyone know that the person had arrived.  As everyone chose when and where they wanted to hold their sessions, someone was putting an electronic version on the Wikis.  During the event, people updated the Wiki with new information.

The Barcamp was well attended.  Though the goal was to get 400 people to the Barcamp, at last count 128 people were added to the “Present” portion of the Wiki.  I have to say, it really seemed like more than that were there.

I did manage to lead two sessions right away in the afternoon.  The first session I gave a presentation about Gentoo Linux.  There weren’t too many people there, maybe 15 – 20, but they all seemed to be pretty interested.  Hopefully they enjoyed the presentation.  The presentation is available on my website for download [tech.fradkin.com].  The second session I threw out there because there were no Ruby on Rails sessions listed.  I ended up just facilitating a nice discussion about Ruby and Rails.  There was enough interest that a bunch of us holed up in the Hack Room for an extra 2.5 hours and discussed Rails 101.  I let others take over to demonstrate Rails for those who had never seen it.

There were a  bunch of people with cameras taking all kinds of pictures and video.  If you head over to flickr and check out all the images tagged with barcampmadison, you’ll see some of the action.  I even found some pictures of myself.

Just before I left the Barcamp, one of the organizers, Ken Rheingans, asked me if I’d consider being one of the Ruby on Rails Community organizers for Barcamp USA.  I accepted.  Now, I’m considering helping out with the Linux Community also.

So, put August 23 – 26, 2007 on your calendars now.  Barcamp USA is at the Jefferson County Fairgrounds, just a hop, skip, and jump away from Madison.  They’re expecting around 5000 people to attend from all over the US and even from overseas.  As fun as Barcamp Madison was, I expect that Barcamp USA will be even more fun.

Filed in: Developer Blog Comments (1)