Normally I do not write about news stories, and this would be a shift from talking about freeware pocket pc software, mobile tv players or mobile radio technologies. But this story is really funny and I would also like to strongly support a fellow programmer.
Terry Childs was a respected computer engineer in the Dept. of Technology in San Francisco. As an administrator he had access to all kinds of sensitive information and systems. What happened is that one day, Terry decided to lock everybody off the maintenance account of the city's network. No damage was made to data but he is the only one that can fix it if something goes wrong. He made himself unsubstitutable.
Why did he do that? Some say he is a maniac others say he is protesting against the arrogance of the city's management team. Whatever the truth this seems to be one of the most striking examples of inside attacks.
Cisco has been called to help crack the account while Terry remains silent in his jail cell, with a 5M $ bail. Free Terry!
Friday, July 18, 2008
Tuesday, July 15, 2008
Wi-Not Mobile: A Different Pocket PC Freeware Application
[This article discusses a new freeware application for Windows Mobile devices, in the creation of which I feel excited to have participated. It is called Wi-Not Mobile and can be found in this site]
You may have noticed for some time the link on the right. It points to a new mobile platform we built, a limited number of talented professionals and me. Starting with silly little ideas, it quickly grew to integrate some research results of our personal projects. The result was Wi-Not Mobile, a mobile platform for information, communication and entertainment. Wi-Not Mobile is a freeware pocket pc application and you can find it here. It is on air for a week now and with limited or now advertising has far exceeded 1000 registered users and many more downloads. Here is a small tribute to this one-year full time effort and some technical details for those who are interested.
For a quick introduction here is a Youtube video, which tries to describe Wi-Not Mobile in 4 minutes:
We have received so much feedback, both good and bad and I feel really intrigued in trying to understand how others view this application and we are so enthusiastic we really see criticism as an opportunity. It may sound typical but it is true. Here is my understanding.
First of all, Wi-Not mobile is not an application. It is a platform and there is a perfect reason for that. The platform is a more general concept and solves much more difficult problems than an application. Wi-Not's platform defines a basic API which we later use to create all different functions that exist inside. Let's iterate through the various features to show how.
Wi-Not Mobile offers free web TV streams for your Pocket PC, but also the client to
consume it. If we were limited to this (like tons of other popular TV playing programs) then Wi-Not would be an application. But we are not. TV streams in Wi-Not Mobile are updated automatically whenever there is an available new version of the TV channels. The same holds for the web radio streams found in Wi-Not Mobile. This alone does make an excuse for the term 'platform' but the story is not over yet.The Instant Messaging module of Wi-Not is a clean and efficient way to exchange messages. Of course it was not built to compete with already popular mobile IM clients (MSN Mobile and others). But there is something special inside that is actually a function that the underlying platform can support. It enables for automatic translation. For example, a user can define that he writes in Spanish, his friend define that he reads in Italian, and still be able to communicate in their native languages, a feature that at least for now cannot be found in any other IM mobile client.
Moving on to entertainment portion, we arrive to what we tenderly call "Wi-Lol". There is another trick here. What it can do? You simply type the game you want to play, and the
module (using the platform's middeware) will locate free and available flash games to play in your mobile. The difference with other similar functions is that we do not store a single byte of game content. So how is it done? The platform defines a search API, which can have many "flavors" (inheritance in programming words), and these can be a web search, game search, or a music search. Each of these kinds share some common properties (base class) but in the meantime have many differences. The game search module of the Wi-Not locates flash files and reports back available links. With the embedded flash player it is possible to play it on the fly!There is also a great option for getting music on your pocket pc. We have put there a special media finder, which can accept keywords for your search and locate audio files. This is entirely new for a mobile application. Again, we do not store a single byte of audio content. With a hit rate of around 90% you will able to get the mp3 file you were looking for. Again the platform here plays the most crucial role. It is able to maintain places that are more probable to provide with an answer and also to dynamically find more.
I could really talk for hours about this stuff but I am sure it will bore most of the people. There are certainly many more posts coming about this effort. We are really excited about the outcome and ready to do more. There are also many hard lessons from releasing into public your creations and perhaps I should talk about it later.
Till then you are more than welcome to download Wi-Not Mobile from here and I would be grateful if you could provide with your thoughts about it. Have fun!
Saturday, July 12, 2008
How I Selected A Good .NET Obfuscator
This post describes how I searched a good .NET obfuscator, and the products I tested until my final decision. I hope it will be of help to anyone searching for a good obfuscator.
The last years I have been programming on .NET C#. This was not a big shift since my background was Java-centric. Days were passing by, playing, and creating simple utility programs for me and my friends, or some parts for an open source project.
These days of innocence, suddenly came to an end, when I had to engage in a real-world, professional .NET project. (This is actually Wi-Not Mobile, the link promoted in the top right of this blog). In this setting, software is a real investment. An investment of time, energy and of course ...money. Since every investment has to be protected from 'unprivileged entities' so does the software. Reverse engineering is your biggest enemy.
Reverse engineering is when we look to a system, and try to understand from its outputs, the mechanisms within. As always this can be used for good but also for bad purposes. The day we proved the big Gmail scam with G-Archiver, we reverse-engineered the malicious application, and this was certainly for a good purpose.
.NET and Java programs are very exposed to the experienced eye. To decode an unprotected Java class file, you will only need the Java Language Specification by your side, and a decent hex editor. The picture can become crystal clear and decompilers are able to create a perfect reconstruction of the original source file. The reason is that both the CLR and JRE are virtual machines. As such they were designed to be platform-independent, which means that they are both standarized. This standarization is used to attack them, and recover entire source files.
The most common protection is called obfuscation, and transforms an set of commands to another set, which does the same thing but which is hard to reverse engineer it. There are plenty of good in-depth articles on the web that lay out the problem really well. You can try reading this for example, which comes form the Microsoft and the MSDN magazine.
When I started searching for an obfuscator, I knew I had a big project in my hands. Wi-Not Mobile is over 60,000 lines of source code, which is not a small number! I first Dotfuscator which comes integrated with Visual Studio 2005. This is a fairly simple program that will do the job for very small programs, but totally inadequate for big projects. I abandonned it quite often.
I then came accross this article which had some guidelines on what to pay attention to. The first important lesson I learned was "Try Before You Buy". Always search for a product that ships with a trial version. Give it a try and then make up your mind. The second is to thoroughly check how you program behaves when obfuscated.
This blog post has a comprehensive list of many commercial obfuscators. First I gave a try to .Net Reactor. This is cheap compared to others and had a trial to check out. I tried a few times but I was not able to build the entire project. I kept getting dependency and I finally gave up. While its interface is clean, it has options that were troubling. For me, the process was made in my mind: When I select an executable all dependencies should be in front of my eyes immediately. This was my fundamental requirement.
Then I moved to Spices from 9Rays. The whole package includes obfuscation, decompilers and other tools, and I thought I would give it a try. However, I didn't still get my fundamentlal requirement. I finally took it running but it certainly didn't worth the price. Spices is one the most expensive products (about 1,200$!) of this area, and I couldn't put up with that.
Finally, I followed a thread in Channel 9 (which I seem not to find any more) which was suggesting {smartassembly}. I soon gave it a try, and amen, I felt happy to get an easy and clean start. My solution with my assemblies was laid before me in all their glory. I was able to follow a straightforward 8-9 step process, in which I could choose assembly merging options, string encoding and other. My project was built fast and was working from the first run.
Our team then focused on {smartassembly}. We went through all of our application scenarios and double/triple-checked if it played well. This part is really important. Bear in mind that obfuscation might yield problems in program execution that you might not grasp at the first run. Wi-Not Mobile has a hell of scenarios and we tested them all. Finally a subtle problem arose, a teeny-tiny detail which was making our communication module silent. We quickly found out that this was an encoding problem which we together solved with {smartassembly} support. This is another crucial requirement. The software product must have people behind to support you, and {smartassembly} deserves a credit for this.
All in all we were quite happy with what we had. Our obfuscator has a great UI for obfuscation, it has great functionality, a medium cost and very good support. All in all, it turned out to have a perfect cost per value. After a 10-day test, and ensuring that obfuscation was perfectly functional, we purchased the program and lived happily thereafter.
The last years I have been programming on .NET C#. This was not a big shift since my background was Java-centric. Days were passing by, playing, and creating simple utility programs for me and my friends, or some parts for an open source project.
These days of innocence, suddenly came to an end, when I had to engage in a real-world, professional .NET project. (This is actually Wi-Not Mobile, the link promoted in the top right of this blog). In this setting, software is a real investment. An investment of time, energy and of course ...money. Since every investment has to be protected from 'unprivileged entities' so does the software. Reverse engineering is your biggest enemy.
Reverse engineering is when we look to a system, and try to understand from its outputs, the mechanisms within. As always this can be used for good but also for bad purposes. The day we proved the big Gmail scam with G-Archiver, we reverse-engineered the malicious application, and this was certainly for a good purpose.
.NET and Java programs are very exposed to the experienced eye. To decode an unprotected Java class file, you will only need the Java Language Specification by your side, and a decent hex editor. The picture can become crystal clear and decompilers are able to create a perfect reconstruction of the original source file. The reason is that both the CLR and JRE are virtual machines. As such they were designed to be platform-independent, which means that they are both standarized. This standarization is used to attack them, and recover entire source files.
The most common protection is called obfuscation, and transforms an set of commands to another set, which does the same thing but which is hard to reverse engineer it. There are plenty of good in-depth articles on the web that lay out the problem really well. You can try reading this for example, which comes form the Microsoft and the MSDN magazine.
When I started searching for an obfuscator, I knew I had a big project in my hands. Wi-Not Mobile is over 60,000 lines of source code, which is not a small number! I first Dotfuscator which comes integrated with Visual Studio 2005. This is a fairly simple program that will do the job for very small programs, but totally inadequate for big projects. I abandonned it quite often.
I then came accross this article which had some guidelines on what to pay attention to. The first important lesson I learned was "Try Before You Buy". Always search for a product that ships with a trial version. Give it a try and then make up your mind. The second is to thoroughly check how you program behaves when obfuscated.
This blog post has a comprehensive list of many commercial obfuscators. First I gave a try to .Net Reactor. This is cheap compared to others and had a trial to check out. I tried a few times but I was not able to build the entire project. I kept getting dependency and I finally gave up. While its interface is clean, it has options that were troubling. For me, the process was made in my mind: When I select an executable all dependencies should be in front of my eyes immediately. This was my fundamental requirement.
Then I moved to Spices from 9Rays. The whole package includes obfuscation, decompilers and other tools, and I thought I would give it a try. However, I didn't still get my fundamentlal requirement. I finally took it running but it certainly didn't worth the price. Spices is one the most expensive products (about 1,200$!) of this area, and I couldn't put up with that.
Finally, I followed a thread in Channel 9 (which I seem not to find any more) which was suggesting {smartassembly}. I soon gave it a try, and amen, I felt happy to get an easy and clean start. My solution with my assemblies was laid before me in all their glory. I was able to follow a straightforward 8-9 step process, in which I could choose assembly merging options, string encoding and other. My project was built fast and was working from the first run.
Our team then focused on {smartassembly}. We went through all of our application scenarios and double/triple-checked if it played well. This part is really important. Bear in mind that obfuscation might yield problems in program execution that you might not grasp at the first run. Wi-Not Mobile has a hell of scenarios and we tested them all. Finally a subtle problem arose, a teeny-tiny detail which was making our communication module silent. We quickly found out that this was an encoding problem which we together solved with {smartassembly} support. This is another crucial requirement. The software product must have people behind to support you, and {smartassembly} deserves a credit for this.
All in all we were quite happy with what we had. Our obfuscator has a great UI for obfuscation, it has great functionality, a medium cost and very good support. All in all, it turned out to have a perfect cost per value. After a 10-day test, and ensuring that obfuscation was perfectly functional, we purchased the program and lived happily thereafter.
Wednesday, July 2, 2008
Another Riemann Hypothesis Solution From Purdue?
Well, it seems that the mathematics department of the Purdue University is really obsessed with the Riemann Hypothesis, as Xian-Jin Li published a proof of the legendary mathematical problem. However this is not the first time that Purdue disturbs the mathematical society with a Riemann Hypothesis solution. The most recent attempt was in June 2004 but was not convincing enough.
The Riemann function ζ(s) is a complex function and is defined as the sum
of terms 1/(n^s) for all n to infinity. As a mathematical construct it seems to encode a great deal of information about number theory. One hit-example is the proof that there are no zeros of the ζ(s) function for which it holds: ζ(s)=0 => Re[s]=1. Here Re[.] is the real part of a complex number, e.g. if s=1+2.i then Re[s]=1. The above theorem is equivalent to the prime number distribution theorem which states that from numbers 1 to N, there are approximately N/logN primes, and ad infinitum the ratio of the 'density' of primes to N/logN tends to 1.
Now the Riemann Hypothesis states that if ζ(s)=0 => Re[s]= 1/2. It has been haunting mathematics for centuries now and its solution will have an award of 1.000.000$ from the Clay Mathematics Institute.
Now, many 'proofs' have been devised over the years which seems reasonable since many people have been obsessed with the problem. But it seems no other institution can match Purdue in its pursuit of the solution. The 'crusade' started with Louis De Brange, Professor of Mathematics at Purdue University. De Brange announced a solution in June 2004, which however fell in the dark by the mathematics community. The story continues with Xian-Jin Li who published yesterday a new proof of the hypothesis. You can find the document in ArXiv here. It is interesting to note that the Mathematics Genealogy Project reveals that Jin-Li is a student of De Brange in Purdue.
The proof is at the disposal of mathematicians who will try and test the correctness. It is an interesting case to have an eye on and who knows maybe Purdue took it right that time!
The Riemann function ζ(s) is a complex function and is defined as the sum
of terms 1/(n^s) for all n to infinity. As a mathematical construct it seems to encode a great deal of information about number theory. One hit-example is the proof that there are no zeros of the ζ(s) function for which it holds: ζ(s)=0 => Re[s]=1. Here Re[.] is the real part of a complex number, e.g. if s=1+2.i then Re[s]=1. The above theorem is equivalent to the prime number distribution theorem which states that from numbers 1 to N, there are approximately N/logN primes, and ad infinitum the ratio of the 'density' of primes to N/logN tends to 1.Now the Riemann Hypothesis states that if ζ(s)=0 => Re[s]= 1/2. It has been haunting mathematics for centuries now and its solution will have an award of 1.000.000$ from the Clay Mathematics Institute.
Now, many 'proofs' have been devised over the years which seems reasonable since many people have been obsessed with the problem. But it seems no other institution can match Purdue in its pursuit of the solution. The 'crusade' started with Louis De Brange, Professor of Mathematics at Purdue University. De Brange announced a solution in June 2004, which however fell in the dark by the mathematics community. The story continues with Xian-Jin Li who published yesterday a new proof of the hypothesis. You can find the document in ArXiv here. It is interesting to note that the Mathematics Genealogy Project reveals that Jin-Li is a student of De Brange in Purdue.
The proof is at the disposal of mathematicians who will try and test the correctness. It is an interesting case to have an eye on and who knows maybe Purdue took it right that time!
Subscribe to:
Posts (Atom)