Wednesday, July 30, 2008

when your IQ representation goes single digit

(esqueeze me? :-)

... you obviously need some help with the direction/translation/interpretation; if you automagically landed here, here's the past year... "uncovered" (wow, this blog is one year old :-)

More (or less) to come, stay tuned :-)

how to measure your evilness (against Google)

Well, in measurements you always need a reference unit (be it meter, kg, liter, etc) and a precision (-1%, +2%, etc). Have them and you can go out and play...

But is there a reference unit for evilness?! You're about to find it out... Of course there is, it's Google with its own "don't be evil!" slogan/BS. But how do you use it, how do you measure against it? Well, it's fairly simple: you use one of their services, lets take for instance AdSense to show their ads on your pages and guess what? It's an auto sensing measurement! If they consider anything on your pages as being *evil*, you'll find it out quite fast (via email).

What's the precision of it? Well, well, well, the sky is the limit, but we live on Earth, so... it can be really low. They take crowd input (and if you did your math in school you might have learned about crowd IQ), then it gets reviewed by pigeons (err, not quite, the staff might be IQ potent, at least the urban legend goes like that), then some magic mambo-jumbo and... bang, you're evil!

a (false) sense of security

Most of the time you use a service/product in confidence with the vendor's claims/guaranties/PR, but how many times do you think about and inspect their promises versus the technical side? Not very often, right? :-)

Do people trust Skype as safe? Yeah, sometimes. But if you read a bit about it, you'll be worried. FaceTime's GEM product can see/filter urls from your Skype IMs; WoW, what a feat! (why stopping at urls?) They are doing GEMs in partnership with, so you can safely RIP the security/privacy of your Skype messages.

What about the Skype calls? What about them?! If your IQ representation takes 3 digits, you can figure it out easily: your user/pass is the only way to authenticate to Skype; take them to another computer, type them in, you're in. If you let Skype online a bit longer on a few computers you'll notice some nice side effects: IMs are broadcasted to all instances. (what a) nice feat! (again).

If IMs are broadcasted, why voice/voip shouldn't inherit the same property? Yeah, just because this guy security reviewed an ancient version of Skype it doesn't mean it's safe forever after. In his paper you'll get to know the jargon about public/private keys, complicated mathematics that are basically rendered useless by the front door: user authentication with nickname & password. If they/Skype would have used public/private keys from the beginning/front door (by letting an open source tool to manage the keys and the encryption/decryption/signing process) they would have angried a lot of 3 letters nicknamed organizations, worldwide. (not to mention the corporate world). But that didn't happened. Instead, they choose the downside of closed source software. Now, presuming that would have followed (somehow) the open source road, what would you have done next? Embarking on the next trip...

Generating the public/private keys. Going to for it will reinforce your (false) sense of security. Thawte is well known for their SSL certificates, but they have also this other nice feat: free personal certificates for email. You generate the public/private keys (on their site), you download them, you use them. The catch? At all times your secret/private key is with them. Try this: your encrypted email lands in the hands of some 3 letters named org, they send their regards to Thawte, which in turn gives them your secret key. Security/Privacy? ("at its best")

So, I guess your're left (again)... with your open source friends :-)

Some other service I was promoting to you here, was... - some p2p brother of skype who plays with your backup/files. Again, their service would have been great it they would have managed to let the open source tools do the encryption/decryption and public/private key handling. Unfortunately, they don't... (and most likely, won't). Why providing security/privacy/protection to your user base when you can channel you dev efforts to the next big thing, web gui?

Note to self(s):

+ use open source
+ transparent SSH your way out (or in, :big grin: )
+ for (some) privacy in (small) companies (who might not afford GEMs), use skype
+ in big corporados, be open source only (pidgin + pidgin.encryption plugin might* do wonders :-)
+ if forced against the wall, use and its integrated gtalk client (it should* be able to do wonders as well :-)

* - needs some further testing; a fight to be fought some other day...

Sunday, July 27, 2008

the last lecture

(when life is short on you)

Sunday, July 13, 2008

wuala invitations - online p2p network storage

This might be your last chance to be an early adopter of Wuala (private beta, still invite only) and get some free network storage = +1GB per friend you invite, before they open the shop as public beta testing (when everyone can create their own account and compete for free storage with you :-)

Or, you can buy your way in via prepaid online network storage, the planned offer looks like:

  • 10 GB (for 15 EUR per year)
  • 50 GB (for 60 EUR per year)
  • 100 GB (for 100 EUR per year)
  • 500 GB (for 400 EUR per year)
  • 1 TB (for 640 EUR per year)
So, grab one of the invitations below, install java, install the wuala client (win/mac/linux), type in the invitation code, invite your friends and save at least €15 per year in online storage costs :-)

PS. Speeds are torrent like, both for upload and download, your wire is the limit... unlike conventional network storage solutions where upload/download speed depends on the internet connection of the storage provider and the server(s) they employ. Plus, with Wuala your files are encrypted locally before they are saved in the p2p network, something you won't find with others.

After you install the client, you'll be asked one secret invitation code - choose one from here:
unfair15suffer page69through hoop34tomato grasshopper43many thirsty7library stick42armful into0seen bathe16lookout draw41hey peaceful39must mow19train order43tax serve70stop acts38have explain67feed outlaw32stream fact16thanks cart95terrible clothing6tobacco soldier32soldier hem63book ladder61axe under56cradle meadow51outdoors many15running gum83fits end20steam sweet67before hers8handle awhile66except mean69saddle band91study divide34seen brick96warm star39brush aid17dam major67clever blue28frown meet22rapidly those13farmer officer54shepherd raise70flashlight tar79nearby hot41start terrible70price felt44fear childhood6passenger instead38quickly shining58handwriting perhaps73someone dead33kept witch16proper bran16pup jail70desert bet90rubber shine36square fall73rose lightning24only footprint3low bathtub45alley bookkeeper37tardy what61downstairs lose98spot citizen91quarter champion25popped airplane26clover tip22chicken chief3before thursday33prune catcher51rock tin68hill size84cuff organ87honor

Thursday, July 3, 2008

Yes, outsource, outsource NOW!

In other/ZDNet news:

Google has confirmed that personal data of US employees hired prior to 2006 has been stolen in a recent burglary.

Records kept at Colt Express Outsourcing Services, an external company used by Google and other companies to handle human-resources functions, were stolen in a burglary on 26 May.

An undisclosed number of employees’ details and those of dependents, such as names, addresses, and social security numbers, were on the stolen computers.>> Credit card numbers were reportedly not among the stolen data. ZDnet’s Brendon Chase adds that it is understood “that Colt did not employ encryption to protect the information.”

(bold) Way to go...