Friday, August 27, 2004

Clever Hacks: DNS Tricks

Tune in to the net's untapped power
Danny O'Brien
New Scientist vol 183 issue 2458, 1 July 2004, page 22

Tinker with the internet's phone book and you can create a radio station or track down long-lost friends.

By day Dan Kaminsky works as an ordinary computer security consultant for a big IT firm. But he's got a dark side.

This weekend he's on stage at the DefCon hacker conference in Las Vegas, Nevada. His latest trick is turning the internet's domain name server (DNS) system - designed to translate domain names to machine-readable codes - into an internet radio station (see "Radio mischief") or a peer-to-peer network. He is even showing how DNS can be used to bypass firewalls to hack into supposedly secure networks.

Kaminsky isn't the only one fiddling with the DNS system. Telephone companies and even retailers are looking at ways of persuading the mundane DNS protocol to perform tricks that could save them billions by reusing the existing system for new purposes.

This desire to augment DNS isn't hard to understand. "Every computer on the planet knows how to access DNS servers," says Paul Mockapetris, co-inventor of DNS. That means instant access to 2 billion computers that make up the internet.

But how do you twist such a system into indexing a whole new range of data? Mockapetris built into the design of DNS the ability to return strings of text that can represent a type of simple programming command - called a "regular expression" in programming jargon. Now the Internet Engineering Task Force, the international organisation responsible for developing the internet, has used this quirk to turn DNS into a general directory service, called ENUM.

Here's how it works. To turn your telephone number, say +1 408 555 1234, into a domain name you reverse it, sprinkle dots between the digits and add the special domain, to get:

Looking this up on the DNS system will return, instead of a usual IP address, a regular expression. Applying this regular expression to the original phone number then converts it into a URL. For example, when applied to "+14085551234" it might convert the number into "": the regular expression generates the "do" from the phone number, and provides the rest of the URL itself. In this way, every phone number can be linked to its own email address, so if your phone is engaged a computer can automatically copy your voice mail to your email, or try to locate you via an instant messenger service instead.

Wednesday, August 25, 2004

JDocs: Documented APIs for Popular Packages

Documented APIs are the wave of the future for building Service Oriented Architectures. The Java Lobby has caused some controversy by publishing leading APIs on the web. Seems like some vendors don't want open publishing that will actually help the developers as it interferes with their business model. We are seeing the same dynamic in the open source publishing of journals.

What is JDocs?

  • HUGE collection of APIs
  • Familiar "javadocs" interface
  • Annotated with user notes
  • Fully indexed and searchable

JDocs is a comprehensive online resource for Java API documentation. All the javadocs for a variety of popular packages are loaded into our db-driven system, and users can contribute their own notes to virtually any class, field, method. In short, JDocs provides a knowledge base defined around the major Java api's themselves, so you can find the information you're looking for right where it should be... in the documentation!

Wednesday, August 18, 2004

Patterns: Model View Controller Pattern Critical to Cross Platform Development Tools

An Authoring Technology for Multidevice Web Applications
Guruduth Banavar, Lawrence Bergman, Richard Cardone, Vianney Chevalier,Yves Gaeremynck, Frederique Giraud, Christine Halverson, Shin-ichi Hirose,Masahiro Hori, Fumihiko Kitayama, Goh Kondoh, Ashish Kundu, Kohichi Ono,Andreas Schade, Danny Soroker, and Kim Winz
IEEE Pervasive Computing, Jul/Sep 2004

The rapid proliferation of mobile computing devices has increased the complexity and cost of cross-platform application development. Multi-DeviceAuthoring Technology (MDAT) lets developers build a generic applicationcommon to multiple devices and customize it for specific devices...

Notably, we found that the programmers’ understanding of MVC prior to their MDAT experience affected their understanding and use of the tool. For example, if their previous experience was with Web design or with Struts, they had expectations about the model that might not have been realized. Al­though many assume MVC to be well understood, it is, in fact, an amorphous design pattern. Existing implementations, from SmallTalk to Struts, differ considerably. A survey of the literature—both academic and popular—shows variability in definitions of the MVC paradigm, particularly in the connections between the various components. The two primary variations re­volve around whether the Model and the View talk directly to each other or whether the Controller handles all messaging and action. We can’t overstate MVC’s importance for a novice’s introduction to MDAT. MDAT’s power is based on the programmer creating an abstracted description of the Controller and View components, as well as the connections between the components. In most cases, the code is automatically generated from these abstract descriptions. For the Model, however, programmers must write concrete code that’s connected to abstract or generated Controller and View components.

This blurring of the abstract and concrete is particularly important because of the role that mental models play. Research in the early 1990s explored the role of mental models in teaching programming and in understanding how to use programming. In both cases, understanding the structural mental model (what the system does to solve a problem) is ultimately more powerful than a functional mental model (how to solve the problem). No difference exists in the performance between those taught a functional or structural model for standard problems. For new problems, however, that don’t have an existing functional model, programmers who un­derstand the structural model will be faster and more efficient at solving the problem. When using a new tool such as MDAT, most problems are novel, so a clear understanding of the underlying structural model, in this case MVC, is critical. Our finding that users had different structural mental models of MVC meant that they had difficulty linking past programming experience to programming in MDAT. Consequently, we found that learning MDAT was more difficult than we expected.

Friday, August 13, 2004

SCRUM: Productivity Gains with eXtreme Programming

For some years now, several authors of the Agile Manifesto have discussed Scrum as a process wrapper for XP processes. It's introduction to a new team can be quick and easy, and XP engineering processes can be adopted over time as the team can adapt. Also, Scrum has a scaling strategy that has repeatedly worked on large implementations, whereas XP engineering approaches are most clearly visible in a small team.

The May/June 2003 issue of IEEE Software focused on XP. One of the more interesting articles is about the experience of a team of two building an application of 2445 lines of code at NASA Langley Research Center building government research software in Ruby. Since Ruby combines some of the best features of Smalltalk and Perl, it is arguably one of the most enjoyable modern programming languages and a major change form the FORTRAN programming these researchers were familiar with.

Wood, William A. and Kleb, William I. Exploring XP for Scientific Work. IEEE Software 20:3:30-36, May/June 2003.

While 2545 lines of code is not very useful for most commercial projects, having spent 13 years in a previous incarnation on research software in numerical analysis and statistics, I know a few lines of code may incorporate many person-years of hard won knowledge. Consider that this small piece of code "delivers a software test bed for evaluating the performance of a numerical scheme to solve a model advection-diffusion problem. The model employs a multistage Runge-Kutta strategy for temporal evolution with multigrid sequencing. The particular algorithmic research feature is a strategy for the pointwise optimization of the Runge-Kutta coefficients to achieve particular damping characteristics as a tool for convergence acceleration."

The typical commercial developer would need to spend a couple of years on a masters degree to be able to write this kind of code. But I digress. One of the most interesting aspects of this paper is that the single pair of programmers produced 912 lines of production code (the remainder was test code and utilities) at the rate of 27 lines per hour for the pair. On previous projects, programmers produced 12 lines of production code per hour, or 24 for a pair of programmers. However, they had to deliver 2144 lines of code to achieve the same level of functionality as the XP application, more than twice as much code.

In the project, relentless refactoring combined with Ruby advantages over Fortran where key considerations that more than doubled productivity in a NASA project on an initial project with a new development process and a new language. On the average, FORTRAN takes 107 lines of code per function point and Ruby lies somewhere between Perl (21) and Java (53). I would expect on future projects they could push productivity gains even higher.

Security: Samba Does Windows

Samba has been a basic component of my company's development environment for many years allowing Windows clients to talk to Linus servers. A recent article in ACM Queue points out how widely deployed it is, the interesting way it handles communication between heterogeneous distributed systems, and the security ramifications of its manipulation of network protocols.

Wolfe, Alexander. Samba Does Windows-to-Linux Dance. ACM Queue, Jul/Aug 2004.

With heterogeneous networked environments becoming the rule rather than the exception, there's more need than ever for Windows and Linux to work and play well together. Enter Samba, the print- and file-sharing tool that enables files residing on Linux hosts to interact with Windows-based desktops.

Samba, an open source effort that's freely available under the GPL (GNU General Public License), first hit the streets in a 1994 release written to support Unix. Its march toward common usage began in the form of deployments on servers running popular open source implementations such as HP-UX, IBM's AIX, and Sun's Solaris.

In recent years, the rampant rise in usage of Linux in the server world has catapulted Samba into almost ubi-quitous deployment. (In typical setups, Samba serves as the missing link, allowing client desktops running Windows to access files stored on such Linux servers.)

Indeed, the fact that Samba ships as a standard part of nearly every Linux distribution has given the software a stealthy penetration that's surprisingly large. There may be as many as 14 million to 16 million Samba servers in use in various forms. To break the numbers down more meaningfully, however, not all of those setups are "high-stress" environments. Estimates peg the number of large Unix and Linux installations (defined as hundreds or even thousands of users per server) running Samba at somewhere between 2.5 and 3 million...

So just why should Samba, which seems to have a fairly narrowly defined mandate, be of interest to the developers? Because it offers a window into the intricacies of networking and can provide developers with a virtual front-row seat for the handling of intercommunications among heterogeneous interconnected systems.

That's evident in Samba 3, the latest revision of the tool, released in September 2003. Samba 3 adds full-fledged domain control support (minus Microsoft's security account manager database replication) for the still widely used Windows NT 4 operating system. Domain support means Samba essentially mirrors the architecture by which NT stores user account credentials. Thus, Samba has a means for deciding whether to grant accredited users access to server-based files, enabling the Linux-to-NT interoperability...

Terpstra recommends that nuts-and-bolts professionals obtain a copy of the free Ethereal network protocol analyzer tool and use it as a sniffer to capture and review the packets traveling across a network to get a peek under the covers. As Samba runs, it makes use of information buried in thousands of those packets about the identity of the Windows clients on the network.

I queried Samba team member Terpstra about how system administrators of heterogeneous environments grappled with perceived security differences between Samba/Linux and Windows. "Interesting question, because you'll find that views on that are poles apart," says Terpstra. "Windows-style networking is inherently insecure. The reason is, the ability to browse, or to go into your ‘network neighborhood' and see all of your machines, is based on a broadcast technology..."

Fortunately, Samba implements features to shield the operating system from the user as much as possible. Additionally, because Samba is resident on non-Windows server platforms and doesn't implement all the features of Windows, it's able to cut out a lot of potential exploits for Windows, according to Terpstra.

Though Microsoft has no specific involvement with Samba, it too is concerned with security. Seeking to minimize the ability of hackers to exploit Windows, Microsoft is working hard to design improved security into its next-generation Longhorn operating system, due in 2006.

"With Longhorn, there's a good possibility that Microsoft will introduce entirely new technology," Terpstra says. "I believe that is entirely appropriate, because the current Windows networking technology is fundamentally insecure. It's grown topsy-turvy over many years. It's probably more cost effective to start with a clean slate than to try to fix the ills of the current technology."

Tuesday, August 03, 2004

Security: Final Report on Blackhat/Defcon Conference

As Chair of my company's Security Committee, I am often called on to provide consulting advice to other companies. Security is a complex area, so I try to keep it simple. (1) Do you have a security policy? (2) Does it actually protect sensitive data? (3) Is your security policy enforced? There is always a significant amount of discomfort around answering (or not answering) these questions. On the lighter side (or frightening side depending on your point of view) the goings on a the world's most notorious security conference are always interesting.

Blackhat/Defcon: The final report
Monday August 02, 2004 (01:00 AM GMT)By: Joe Barr

DEFCON 12, LAS VEGAS, NEVADA -- The week-long Defcon 12 and Blackhat Briefings ended Sunday. Taking center stage in our final report are Google, a video history of bulletin board systems, a healthy dose of "lessons not learned" by our federal bureaucracy, anarchy, and the threat of physical violence. If you missed the earlier reports from these security conferences, you might want to read these: Blackhat Briefings: Forget the borders, guard the goodies, Blackhat Briefings: Hacker Court 2004, Blackhat Briefings: It's the stupidity, stupid, and DefCon 12: Opening Day.

Google hacking

Johnny Long -- whose day job is as a researcher at CSC -- gave his presentation on Google hacking at both shows. He raced through more than 130 slides, each showing another twist in the game of learning passwords, credit card numbers, and other personal data using nothing but the Google search engine. I was impressed by what I saw. Others? Well, not so much. "O'Reilly has a book out on the subject," I was told by someone who was clearly implying a talk on the subject didn't deserve to be done at Defcon.

The one constant in Google hacking seems to be that there are some real idiots out there who can be harvested using these techniques. Most of them are designed to find default installation pages, error pages, or administration pages for a long list of applications, from MySQL to Apache to MyPHPAdmin.

One thing I want to to research further is Google's Numrange advanced operator. Long said he couldn't talk about it and expect to keep his day job. Hmm.

Before moving on, I would like to point out that there is a very good application for Google hacking. Have you ever needed to convince a PHB where you work that better security is needed? This is a great way to illustrate why.