Memo to the people who wrote the DLink router HTTP server: when adding to the list of MAC addresses that are allowed to use the router, I should not have to reboot the router after every single one, especially when the option for MAC filtering is OFF. I should be able to add each computer that currently has a DHCP-assigned IP address to the list and then reboot the router once when I’m finished. This was a job that should have taken under a minute, but due to this little bit of stupidity, dragged out to over ten.

Computer security is strongest when everyone knows how it works. This seems on first blush to be counterintuitive — if you’re sending some information to another computer or storing it in a file and you want to encrypt it, wouldn’t it be better if nobody knew anything about your encryption algorithm? If it’s secret and nobody knows how it works, they can’t break it, right? Well, this is true, for the most part, but there’s a big problem with this so-called “security through obscurity” — once someone does figure out how it works, your secret is out and you’ve lost at least some (and usually most) of the security that it provides. On the other hand, if your algorithm is freely available and fully documented (i.e. TLS, HTTPS, AES), then the open source community can look it over and find any vulnerabilities in it. If thousands of hackers know exactly how an algorithm works and can still pound on it for years and not break it, that’s a good indication that it’s pretty strong.

This was demonstrated recently with some Adobe products after the release of TrueCrypt 5.0 full disk encryption software. TrueCrypt rewrites the first sector of your disk with its own software, so that it can ask you for your encryption phrase before the operating system boots. Some users have found that after they did this, their Adobe Dreamweaver installation, which worked perfectly until then, suddenly decided that it was no longer licensed. This is certainly inconvenient, but if they relicensed their Dreamweaver software and rebooted their machine, the machine would refuse to boot, which is beyond inconvenient. TrueCrypt forces users to create a recovery CD before it encrypts the disk, which is lucky since this is the only way to recover from this.

It turns out that Adobe is saving some of their licensing information on the first sector of the disk, which is not accessible through normal channels (i.e. you can search your C: drive to your heart’s content and you will never find their licensing data). I’m sure their developers thought this was quite the clever little solution — since nobody could find this information, nobody could modify it, thereby making their software more difficult to pirate. Rather than simply encrypting the licensing information with a secure algorithm, they chose security through obscurity. Now that their secret has been revealed, everyone knows where they store their license information, and so they’ve completely lost the security that this provided. If they had simply used something like an AES-encrypted file, their licensing scheme would only broken if the AES algorithm itself was broken, which is rather unlikely.

However, adding an encrypted file introduces a key management issue — where do you store the encryption key that unlocks the license file? If it’s hard-coded, you’re back to security through obscurity — if someone figures out where in the executable the key is stored and posts that information on the internet, your entire security scheme is useless. The solution to this problem is non-trivial, and so I’ll leave that up to the software manufacturers. They may decide that a hard-coded key is fine, or maybe using a random key and storing the bytes of the random key mixed in with the encrypted data itself (in a reversible way) is good enough for their purposes. Storing encrypted data along with its encryption key is inherently insecure — like keeping your bank card PIN on a Post-It note attached to your bank card — but it’s only licensing information we’re talking about here, not the US nuclear launch codes or a file containing credit card numbers or something.

Bottom line: if any part of your security system uses the phrase “Nobody’d ever think of looking here!” or “Nobody will ever figure out how we did this!”, it’s not secure.

I don’t get twitter. If you’ve never heard ot it, twitter has been described as a “micro-blog”. Basically, you join up and then you can post things, just like with a blog. But each thing you post (called a “tweet”, I kid you not) can be no longer than 140 characters, and can’t contain pictures or videos or stuff like that. You can add people to your friends list and then when you log in, you’ll see what they’ve posted and people can subscribe to your feed as well. You can update your twitter from your cell phone as well, so you can keep the world up-to-date on everything from anywhere.

This seems to me like overkill. In particular circumstances, I can see it being useful or interesting — say your favourite IT journalist is attending MacWorld or some similar conference, and is “twittering” about some things he’s seeing. A full-blown blog entry about each thing would take too long, so if he updates his twitter every few minutes or half an hour or whatever, that’s kind of neat. Similarly, a TSN reporter wrote a blog on NHL trade deadline day. He was at home watching the TSN coverage, and wrote one article and kept updating it every few minutes, whether to talk about a new trade or rumour, or analyze a previous trade, or to comment on something someone said, or just to joke about an announcer’s tie. Dave Barry has been known to “live-blog” during episodes of 24. Those kind of things lend themselves to twitter rather nicely.

But I’m guessing that the vast majority of twitter users are posting what they’re having for dinner and what they’re watching on TV and “just finished working out, now I’m going to have a shower” or other pointless crap like that. The stuff I write here is mostly my opinions or observations on stuff, not just what’s happening in my day-to-day life, because I figure nobody would be interested in that. With twitter, you can have an hour-by-hour or even minute-by-minute account of someone’s day, and I just don’t see the point. I already waste enough time online working on my blog, facebook, or wikipedia, so I really don’t need to add twitter to that list.

Raymond Chen’s popular blog The Old New Thing has an entry that describes these fake automated blogs that I wrote about a week or two ago. Turns out the whole idea is to host Google ads on these sites and make money that way. Strangely, the ones that I’ve found that link to my postings do not have ads on them, so once again, I don’t understand the point.

I have my blog “claimed” at technorati.com. I can use this to search around to see if anyone has linked to my blog entries on their own blog / web site. This is how I found out that I’d been quoted by slate.com.

I did a search last night (for no good reason — same reason people Google themselves), and found several of my postings linked to really weird blogs. Each blog is a collection of articles about a certain topic — my posting on security podcasts is linked to in a blog called “Anti-Virus” (I’m not going to link to any of these potentially evil blogs here), the one on skiing is in one called “Ski Resorts”, and the one about Gail being on the TV news is in one called “The Latest Premieres & Debuts”. In every case, the format of the blog posting was exactly the same:

Unknown wrote an interesting post today on
Here’s a quick excerpt
Several lines from my posting

Read the rest of this great post here

“Unknown” and “here” are links to my posting, and the title of the posting is the same as mine. Apparently the bot that created these postings has bugs in it; the bit about “wrote an interesting post today on” never has anything after it, and one of the blogs even has SQL errors on the page because the title of the posting they’re hijacking contains quotes. Each of the blogs I’ve found has hundreds or thousands of postings, all in the same format, and all listed as “uncategorized”. All of these “fake” blogs seem to be “Powered by WordPress”. I don’t remember ever seeing these before I created my own WordPress blog as a backup for my existing blog. I have the wordpress blog marked as “block search engines but allow normal visitors”, but it seems to have found its way onto someone’s hijacking list somewhere…

Call me naïve, but I don’t understand the point of these fake blogs with no original content. I’ve heard of “splogs” (SPam blOGS), but these doesn’t appear to be splogs — there are no ads, no links to anything but the blog articles, nothing that might make someone money, as far as I can tell. Now, I’m running Firefox with NoScript installed, so whatever JavaScript is on those sites is not run in my browser, so maybe there is something nasty in the JavaScript.

Or maybe I’m just being cynical. Maybe it’s just someone who’s written a bot that gathers together blog postings in certain catgeories as a public service. And he’s not that great a programmer or hasn’t done enough QA on the bot. Yes, I’m sure that’s it.

I’ve been listening to a podcast called Security Now for a few weeks now. It features security guru Steve Gibson and Leo Laporte (who also hosts another podcast I listen to called TWiT (This Week in Tech)). Gibson is also the author of a hard disk recovery and maintenance tool called Spinrite, and in each SN episode, he reads an email or two from a Spinrite customer talking about how they lost tons of data when their hard disk failed and how Spinrite got it all back for them. This is not security-related in the least, but other podcasts have commercials as well, so it doesn’t really bother me. The podcast itself is pretty good — it’s not super technical (i.e. it’s not directed toward security programmers) but it’s not dumbed down either. Every other episode is Gibson answering questions from listeners regarding everything from online authentication (i.e. when using paypal or stuff like that), to disk encryption to browser security (like cookies and such) to spyware, malware, and viruses.

Last week, I heard of another security podcast called PaulDotCom Security Weekly, so I thought I’d give that a listen as well. My first impression was not very favourable.

Before I go any further, I should say that I’m no security expert, but I am relatively knowledgeable in the area. Computer security has interested me for a number of years, and I am one of the de facto security people at work. I have written (and re-written) pretty much all of the database and communications encryption code in the SQL Anywhere server and client software, and I’m also responsible for other security-related things like permissions, authentication, and auditing. My point is that I’m not ready to start my own security podcast anytime soon, but I am able to at least keep up.

Back to PaulDotCom. The hosts introduced themselves and one of the first things they did was talk about what beer each of them was drinking at the time. Immediately after that, they made fun of Security Now and Steve Gibson by referring to Security Now as a “Spinrite commercial” (and they’re not far off with that, I suppose), and played a bunch of clips from various SN episodes — each clip was one where Gibson had lost his train of thought, or said “um…” a couple of times while trying to think how to say what he wanted to say. Of course putting all the clips together made it sound like Gibson was some moron who didn’t know what he was talking about. On top of that, they are now sponsoring a contest for listeners of PaulDotCom to come up with videos or whatever talking about how they “made the switch” from Security Now to PaulDotCom. This is not a great strategy for first-time listeners — if the first thing you do in your podcast is tell me how much better than the competition you are, you’ve just set your own bar pretty high, and now you have a lot to live up to. They seemed to spend an inordinate amount of time talking about how their podcast is so much better than SN, but it was twelve minutes into the podcast before they actually discussed something security-related. It also seemed a bit hypocritical to talk about SN being a Spinrite commercial, since they asked every guest they had if there was anything they wanted to hawk, like websites or products or anything, and even came right out and said “if you’re looking to hire computer people, send us an email, we know people who need work”.

The word “professional” did not come to mind at all during this podcast. As I mentioned before, one of the first things they did was talk about what beers they were drinking during the podcast. They seemed quite proud of the fact that they were doing this, and referred to it a couple of times later as well. One of them made a simple mistake and amid laughter, one of the other guys jokingly suggested he “have another beer”. Making fun of Gibson and SN was childish (though I did find it quite funny), and there were even a few curse words in there as well. I have no huge problem with cursing in general (as long as my kids aren’t going to be listening), but again, it doesn’t exactly scream “professionalism”.

The weird thing is that it seems to me that PaulDotCom and SN aren’t aimed at the same audience. While SN is aimed at anyone who is interested in technology and security and familiar with computers (but isn’t necessarily a programmer or IT professional), PaulDotCom seemed to assume a much higher level of knowledge. They had a pretty interesting interview with a guy that works on analyzing (i.e. reverse engineering) malware, and how some of the more advanced malware programs try to avoid being detected and also avoid being reverse-engineered by covering their tracks, changing their behaviour if they think they’re being debugged, and even modifying themselves. But they got way into the technical details of how this is done, which I found interesting, but I suspect many SN listeners wouldn’t. They also talked about some other web-based attacks and how they could be defeated, and got into some details on specific routers (i.e. they mentioned specific model numbers and what kind of firmware they were running and so on), but some of these discussions assumed a level of knowledge above my own, and they certainly didn’t stop to explain what they were talking about. The guys at PaulDotCom are certainly knowledgeable, but they seem to assume your level of security knowledge is the same as theirs. Rather than a bunch of security experts explaining things to people less knowledgeable than themselves without talking down to you (which is what I find Gibson does pretty well), this was more like eavesdropping on a conversation between a bunch of security experts who don’t care if you are listening.

If you are a programmer directly involved in writing some kind of anti-virus, anti-spam, or anti-spyware software, then this is probably a pretty good podcast for you. It’s probably the best security podcast for people who are already security experts. For the rest of us, Security Now seems like a better choice, if you have to choose only one. Even with my aforementioned experience in the field of computer security, I still found myself glazing over during parts of the PaulDotCom podcast, because they’d start talking about stuff with no background for those who were unfamiliar with the terms they were using. I mentioned before that Security Now isn’t dumbed down, but having said that, there are certainly times when I glaze over during that podcast as well, because Gibson is going into great detail explaining what a “cookie” is or something like that. But I’d rather skip stuff because I already know it than have to skip stuff because I don’t understand what the hell they’re talking about. To be fair, I will probably continue listening to PaulDotCom at least for a while, because I did find it interesting for the most part. I’m not trying to “defend” Steve Gibson and Security Now, but the next few PaulDotCom episodes better be pretty darned interesting, because the whole “we’re better than Security Now” thing just turned me right off. Since that was the first thing they talked about in the podcast, well, you know the whole thing about first impressions.

Update (Feb 4): I listened to the next episode of PaulDotCom on the way to work this morning, and felt obliged to update this entry, because the next episode was really interesting, and I quite enjoyed it. There was almost no mention of beer and no cursing. They mentioned Security Now but only in reference to their contest. There were a few off-colour sexual innuendo-type jokes, but no big deal. The technical stuff was at a lower level (and by “lower” I mean more technical in nature — definitely aimed at developers and security professionals) than Security Now, which as I mentioned is more aimed at security-conscious people who are not necessarily security pros. I haven’t “made the switch”, in that I still enjoy listening to Security Now as well, but unless the second episode was the anomaly and most episodes are like the first one I listened to (which seemed less focused than this one and I didn’t enjoy as much), I’ll continue listening to both. My first impression of PaulDotCom may not have been very favourable, but my second was pretty darn good.

Shortly after I got my iPod last August, I bought a docking station from DLO, on recommendation from a guy at work who has one, and loves it. The dock connects to my receiver and TV, and allows me to play music from the iPod through the receiver, and watch video from the iPod on the TV. Since all my music is on the iPod and the physical CDs have been put away, I use this to listen to music at home. It looks nice, has a remote, a nice on-screen menu, and the audio and video quality is very good (I’m using standard RCA connectors for audio and S-Video for video). I also found it very convenient to download some TV shows, convert them to iPod format, then watch them on TV rather than on the iPod screen. That is, I did, until it stopped working.

A new iPod software version was released by Apple and I updated the iPod, and suddenly the dock stopped allowing me to choose TV shows. (At least, I think that’s when it stopped working.) It lists the different shows in one menu, and when you select a show, it lists which episodes of that show you have. Except now, no matter which show I choose (Battlestar Galactica, ST:TNG, Family Guy, or whatever else), it always shows me the episodes for Battlestar Galactica. I can’t watch anything else. I found that a new version of the firmware was available, so I downloaded the new firmware, connected the dock to the laptop via USB, then ran an installation program on the laptop which was supposed to upgrade the dock. Except that it didn’t. I kept getting a checksum error when trying to do the install. I emailed DLO support, and after 10 days of waiting (and one “I haven’t heard from you. Is there any progress on this issue?” email from me), I received the following message. Other than the huge footer of the email (complete with the tech support person’s name in a fancy font, the company’s address, phone numbers, logo, hours of operation and a couple of links), this is the complete text of the email:

Please check our support website periodically for the drivers to update your HomeDock. It may correct your concern.

I responded saying that this was unacceptable. Since my first email to them was within the warranty period, I sent the dock back to them (at my own expense) and asked them to send me a new one with the latest firmware installed. Surprisingly, a new dock was mailed to me just four days later, and I received it four days after that. I expected it to take numerous weeks, so that was good. The new dock did not have the latest firmware installed, but I found that an even newer version of the firmware was now available on the website (the dock came with version 2.0.1, I was unable to upgrade to 2.0.2, but now 2.1.2 was available). I downloaded that and was successfully able to upgrade the dock to that version. However, the TV show problem is still there.

I emailed them again, and after another four day delay, they asked what type of iPod I had and what the software version was. I responded right away, and at 6:30 this evening (three days after my last email) got another response, simply asking what generation my iPod is. I’m willing to give them whatever information they need to solve the problem, but if it takes them four days to ask each question, this is going to take forever.

So far, I can’t say I’m all that impressed with the tech support offered by DLO. Whenever I send an email, it takes them 3 or 4 days to respond. The first thing they told me was “wait for a new upgrade, and maybe it will fix the problem”, which didn’t exactly fill me with confidence. It sounded like they simply had no idea what the problem was and didn’t want to be bothered looking into it. They were fairly quick in getting a new dock out to me when I returned mine, though they just grabbed one from the shelf and fired it off, they did not send me an upgraded one like I asked them to. I first reported the problem to them on December 7; it’s now January 28 and I’m no closer to having the problem solved. Well, I guess that’s not true; since I’m using a different dock, I can safely assume that it’s not a hardware problem, it’s probably a firmware problem. Maybe an incompatibility with the iPod firmware, but it’s the latest firmware — shouldn’t they have tested that?

I will update this entry as progress occurs, but at some point I’m just going to have to send the thing back, ask for a refund, and move on. That’s too bad, since this is the nicest dock I’ve seen, and when it worked, I was really happy with it.

With my winnings in the football pool, I decided to buy a new universal remote control. We’ve had one for a few years, and it’s been great, but the back cover recently broke, and so we wrapped an elastic band around it to keep the cover on and the batteries in. It looked ugly, the batteries wouldn’t sit properly because the cover wasn’t as secure, and so it was getting flaky, so I got a new one. The Logitech Harmony H659 was on sale at Future Shop, $139 rather than about $200.

This thing is very cool. The big difference between it and most remotes is the concept of “activities”. With my old remote, and most that I have seen, you have buttons that switch among different devices, and then the rest of the buttons may or may not change depending on which device you’ve selected. So to watch TV, here’s what we had to do:

• Press TV, press Power, make sure TV is set to standard input, channel 3
• Press Receiver, press Power, make sure receiver is set to TV input
• Press Cable, press Power

Turning everything off was at least six button pushes, up to ten if the VCR and DVD were on. That was a hell of a lot more convenient, however, than picking up the TV remote and turning the TV off, then picking up the receiver remote and turning it off, then picking up the cable remote and turning it off, then…

Now, when we want to watch TV, we press the “Watch TV” button. It turns everything on that’s not already on, and sets everything up properly. When you’re done, you press “Off” and everything goes off. There were ways to use fancy macros to do all this with the old universal remote, but it was enough of a pain to set up that I never bothered. Also, the remote was not smart enough to know, for example, that it had already turned the TV on, so if you hit the “watch DVD” macro, it would attempt to turn the TV on, and thereby turn it off. With this, the hardest part of setting all this up was trying to read the model number on the back of our (36″ tube) TV. The rest was easy.

The remote assumes that everything is off when you start, and then keeps track of the on/off state of the devices. If you manually turn something on or off, that will mess it up a little, but there is an easy method of recovery. If something goes wrong, you press “Help”, and it will go through everything one step at a time, asking you each time whether the problem is solved. This is helpful if, for example, you turn the DVD player on manually to insert a disk, and then press “Watch a Movie”. The remote thinks that everything is off, so it turns everything on except the DVD player, which it turns off. If you press the help button, the first question is asks you is “Did that solve the problem?” This is kind of a dumb question — no, simply pressing Help did not solve the problem. After you say “No” to that, it goes through the affected devices one by one and asks if they are on and tuned appropriately. If you say “No” at any time, it re-sends that particular command and asks you if it’s OK now. If so, it asks if the problem is solved and if not, continues through the rest of the devices. It’s straightforward enough that Ryan (who’s 8) has had no problems using it so far. Nicky has been fine with it as well, though he hasn’t run into any problems yet. Since he can’t read as well as Ryan, he may have some trouble, but Nicky has no problems yelling for someone to help him if he can’t do something (or even if he can but just doesn’t want to). The “tutorial” for teaching the family how to use the thing was quick and easy — choose one of the activities (watch TV, watch a video, watch a DVD, play the Wii, listen to music), and everything on the remote just works the way you’d expect. If you have a problem, just press Help and follow the instructions. That’s it.

There are six “soft” buttons at the top, and you can program them for any function in each mode. For example, in “Watch TV” mode, I have two of them set to “Page Up” and “Page Down”, so I can quickly scroll through the channels in the guide listing. In “Watch a Movie” mode, I have them set to DVD-related buttons, like Menu, Next Chapter and Prev Chapter.

The software you use to program the device is good but has one drawback — it’s a web app, so you must be connected to the internet in order to program the remote. Not sure why they couldn’t have a standalone app that can connect to the internet to download new supported devices and fixes and stuff. I have a laptop with wireless internet access, so it doesn’t really matter for me, though if my internet connection was down I wouldn’t be able to program the remote, which seems like a silly limitation. Also, if I were to buy one for my dad, he’d have to do everything over a dial-up connection which would be painful. The software itself is pretty good, though it’s all “wizard-based”, so it asks you what you want to do and gives you screens and options based on that. I’d like to see an “advanced” mode, where you have more detailed control so if I want to change one button, I don’t have to navigate through twelve different screens to get to the right one. The interface to the remote itself is high-speed USB, so once you’ve got the programs the way you want them, you plug the remote in, click “Update remote”, and wait a minute while it downloads everything and reboots it.

I’ve only had the thing two weeks, but I love it. The only thing it doesn’t do that the old one did is control the ceiling fan/light. The fan is an old Sears model (came with the house), and the new remote refuses to “learn” the IR commands from the fan remote. The old universal remote did learn the commands, though it was flaky, so Gail always had to ask me to turn the light on beacause you had to hold the remote an inch from the remote sensor on the light. Yes, this does rather defeat the purpose of having a remote control. We don’t use that light all that often anyway, so as long as we keep the real fan remote around, we’re good.