TrueJournals

I think this would be a good place to archive my explanation of NJoy programming.  I was asked about how the patterns in mce.ini for the n810 work, with PatternError given as an example.  This was my reply:

The different sections of the line are separated by semicolons. So, priority is the first part, then a semicolon, then the “ScreenOn” value, then a semicolon, etc. So, I’ll use your example and point out each section of the programming.

0;1;0;40002000200040ff200020000000;0000;0000

To make this easier, I’m going to assign an index to each section of the command. I’ll split the string up by the semicolons. We’ll say the first character (a zero, in this case) has an index of 1. The second part of the split (a one), has an index of 2, etc, etc.

0;1;0;40002000200040ff200020000000;0000;0000
Index 1 defines the priority. If two patterns trigger at once, items with a higher priority (lower number for this section), take precedence, because only one pattern can be going at once. Since the priority is 1 (0 being the highest priority, 255 being the lowest), this pattern will display instead of almost any other pattern (the exception is patterns that have a priority of 0)

0;1;0;40002000200040ff200020000000;0000;0000
Index 2 defines whether or not the pattern should fire based on what state the display is in. In this case, it’s a 1, which mce.ini tells us means “show pattern even when the display is on”. So, this pattern will display no matter what.

0;1;0;40002000200040ff200020000000;0000;0000
Index three gives the timeout. This can tell the pattern to stop firing after a certain amount of time. In this case, it’s a zero, which means that the pattern will never stop firing (unless it’s told to).

0;1;0;40002000200040ff200020000000;0000;0000
Index four starts the actual programming of the LED. Index four gives the programming of the RED LED. It also gets a bit more complicated here. We have to split this section up into strings of four characters each in order to understand the programming. This is what the pattern looks like, split into four-character strings, with each string separated by a pipe (|):
4000|2000|2000|40ff|2000|2000|0000
So, there are seven different commands given to the red LED. Let’s take a look at them one by one:

1. 4000 — This sets the brightness of the LED (anything starting with a 40 will change the brightness). I believe this tells the LED to turn off (0 brightness). I believe that ff would be 100% brightness.
2. 2000 — This bumps the brightness up over a certain amount of time. This gets REALLY confusing. The first two characters, 20, tell how long it should take to change the brightness. 20 is in the 01 - 3f range, so we get “short” steps. If I understand this, we get 19 “short” steps of time ~0.49ms, so this should take about 9.31 milliseconds. The next two characters, 00, defines how many steps in brightness the LED should take. 00 is no change, so the pattern will pause for about 9.31 milliseconds.
3. 2000 — Because this is the same command as above, this will also create a 9.31 millisecond pause.
4. 40ff — Again we see a 40. This says to change the channel brightness. This time, we’re changing it to ff, which should be 100% brightness. So, this command turns the LED on.
5. 2000 — This creates another 9.31 ms pause.
6. 2000 — This creates another 9.31 ms pause.
7. 0000 — This tells the pattern to loop (”jump to the start of the pattern”).

So, the red LED will turn off, pause for (2*9.31 ms =) 18.62 milliseconds, turn on, pause for another 18.62 milliseconds, then loop.

0;1;0;40002000200040ff200020000000;0000;0000
Index five gives the pattern for the GREEN LED. This is a very exciting pattern. It simply tells the pattern to repeat again and again and again. So… nothing happens with the green LED.

0;1;0;40002000200040ff200020000000;0000;0000
Index six gives the pattern for the BLUE LED. Again, very exciting. The blue LED does… nothing.

I hope this helps you understand how the programming works.

This will be the second in my series of security topics from a non-security expert, I suppose.  I just calls ‘em hows I sees ‘em.

As you may or may not know, I will be attending Valparaiso University this Fall as a Freshman.  When I attended Valparaiso’s Freshman orientation program, they taught us a lot about their online systems.  One thing I learned was that I will need to change my password every 185 days, and when I change it, it can’t be similar to whatever I had last time.  The idea here is that this will be more secure, because hackers will never know your password for an extended period.  However, I see a problem with this.

Forcing me to change my password to something completely different means forcing me to memorize a new password, something completely different, too.  Now, personally, I don’t think this will be much of a problem, because I’m pretty good at memorizing things.  However, if you aren’t that good at memorizing, this could cause a big problem: the urge to write down your password.  As anyone could tell you, writing down a password immediately creates a security risk, because anyone could see it written on a piece of paper, or take the paper, etc.  The safest place for a password is in your brain, and in your brain only.

So, is forcing users to change their password really more secure?  For some people, I think it will help, but I think it’s a practice that could only hurt others.  A better idea would be to enforce good password practice: have users create a nice, good length, password, containing at least one letter, number, capital letter, and special character.  Want to go for more security?  Force it to start and end with a letter.  Don’t just let the user tack an exclaimation mark on an otherwise easy-to-guess password.

Overall, I don’t think there will ever be a formula for password security.  There is no one end-all be-all tip I can give for keeping your password away from hackers.  Perhaps forcing people to change their password every x days really does help security.  But, I’d like to see some concrete proof of this before I believe it.

Rumble is a pretty hot topic among game controllers.  When the Sony announced that the PS3 controller wouldn’t have rumble, gamers and bloggers got angry.  Joystiq gives a perfect example of this, summarizing the opinions of others.  And while the general consensus was that rumble wouldn’t hurt Sony, it would just help them if they had it, it’s still a shame to see a company remove such a nice gaming feature.

Three years later, in walks Microsoft.  Perhaps you’ve heard of Project Natal.  It’s an interesting concept.  Instead of forcing you to hold a control, sit down and play your video games, we’ll FORCE you to stand up and fight your opponents like a man.  Microsoft looked at the success of the Wii, and basically said, “We can take this one step farther…”  If it works well, and Microsoft can keep the price point low, then I have a feeling it will go over big.  If not, then it’ll flop and be part of gaming history, much like the Power Glove and Sega Activator.

However, there’s a strange point that all the articles I’ve read have been missing.  Without a controller to hold, there will be no rumble, no force feedback.  And while, for the most part, this is really just a novelty… There are some games that might be lacking without this crucial detail.  Yet, the blogosphere hasn’t exploded.  In just three years, the Internet has gotten over the joy of having rumble in a controller.

Maybe we never really needed it to begin with, and Sony just showed us this by removing it.  Personally, I’ve never used a PS3, but if the consesus was that it wasn’t a critical point, then that’s not what’s hurting its sales.  Or, maybe, Microsoft just can’t do any evil in the gaming world.  Sure, Microsoft is evil in the computing world… but they seem to be a god in the gaming world, much like Apple is a do-no-evil god in the computing world.

So, what will come out of this?  Maybe we’ll start to see more controllers without rumble.  Rumble hit it big, but maybe the novelty is dying off now, and we realize that we don’t really need rumble to play a good video game.  Or, perhaps Microsoft’s “controller” will flop, and systems will still keep rumble in their controllers.  Of course, Natal could always flop AND we lose rumble in controllers.  Only time will tell.

Facebook is starting to become MySpace.

When facebook started, it was a great idea: provide a way for college kids to easily find and communicate with their old high school, and current college friends.  A simple, easy form of communication to link people who physically know each other.  Then, they opened up registrations, a little at a time, and, now, anybody is free to join Facebook.

This was OK at first too, though.  It was still a great way to communicate across generations, or with people in other states or even countries that you physically have met.  It enabled people to plan events, and share what’s on their mind, all while keeping a standard layout, something which MySpace never guaranteed.  It would seem that the reason MySpace died in popularity, and the reason Facebook gained popularity, was the customization of MySpace profiles, the communication aspect of Facebook, and the reputation that MySpace had recieved over the years.

But, it seems that Facebook is drifting away from its innovation.  The first step towards this was e-mailing you when something happens.  This has always annoyed me.  The settings for e-mails in facebook are “E-mail me if X happens” or “Don’t e-mail me if X happens”.  So, if I want to be notified if someone replies to a thread that I’m part of, I will be sent an e-mail any time anyone replies to that thread.  If I don’t, I won’t be notified at all, and will have to visit Facebook (which I often forget to do).

This creates a lot of spam in my inbox.  In a thread even just between five people, if thoughts are flying back and forth, my inbox gets filled up with e-mail from facebook quickly.  So, facebook needs to take a hint from forums.  Offer a third option: notify me on the first event.  This should send you an e-mail saying “Someone replied to thread X” when someone replies to a thread you’re part of.  Then, it should wait until you actually view the new messages in the thread before sending you another e-mail that someone replied.  On top of that, take into account things you’re notified of when browsing the site.  If I’m on facebook, and someone writes on my wall, the website tells me this.  Don’t also send me an e-mail, it just gets annoying.

But this isn’t the only way facebook is becoming a virus.  I noticed something interesting happening the other day.  A friend of mine took a quiz, and I saw it in the “news feed” on my main page.  So, I took the quiz to see what my result would be.  Soon after, another three or so of my friends had also taken that same quiz.  It’s hard to say whose quiz-taking inspired these others, but this spread of wildfire is very virus-like.

Some, though, might call this the wonder of social web.  That things are happening this quickly, and that we can see them in real-time is a miracle of modern technology.  But, have we gone too far with this?  When something exhibits the qualities of a virus, how long does it take for us to break down and just call it a virus?

This type of action is, in my opinion, what caused MySpace to fail.  I think Facebook is a needed hub of communication, but I think that if it continues on its current trajectory, it will just wind up in a crash landing.

So, it seems that Facebook has become the new, and is taking the path of, MySpace.

Let me repeat that.  It appears that the next device Nokia is going to release with the Maemo operating system is a phone.

This device is supposed to be all we thought it would be.  Only, there are a couple major differences from what we thought it would be.  First off, we thought it would be a data-only connection, with voice coming later.  Secondly, we thought there would be a 4″ screen (based on the previous tablets).  Finally, it appears that, due to the phone aspect, it will be locked into a carrier.  If leaked information is right (and Nokia internals seem to confirm this), then the leak is absolutely correct, and… we’re screwed.

When I bought my Nokia 770, I thought it was the coolest thing I had seen.  I wasn’t looking for a phone (I don’t have a cell plan… don’t have much need for one… yet…), yet this was a device that I could carry around and browse the web, etc.  It wasn’t terribly powerful, but that was OK.  Then, I got a N800, which blew me away.  It was amazingly faster, and I thought it did a great job at what it was designed to do: an Internet Tablet.

Recently, the maemo community has been trying to pull itself together (not without objection).  The maemo website has been redone, beta SDKs have been released, Internet Tablet Talk has been moved to talk.maemo.org, and it seems like everyone is waiting for a new device.  It seems that Internet Tablet Talk moving to talk.maemo.org was a key point to Nokia’s next device.  If they were not going to put out an Internet Tablet, but instead release a phone, they couldn’t have a website called Internet Tablet Talk talking about Maemo, now their phone operating system.  So, what did they do?  They decided to “pull the community together,” and remove “Internet Tablet” from Maemo.

Now, I don’t think the development of a phone is a terrible idea, and it’s where Maemo needs to go, but I’d like to see Nokia keep the Internet Tablet spirit, while adding phone features.  The spirit of the Internet Tablets was to have a pocketable device that you could take and get internet anywhere, and have a nice, good-sized, good resolution, 4″ screen.  This, to me, seems like the perfect screen size for this device.  It’s small enough to be pocketable, but big enough to be readable.  Yet, with the next Maemo device, Nokia is downsizing, but keeping resolution.

What does this mean?  It means that text will be smaller.  One of the design points of Maemo 5 was to make the interface “finger friendly” (this hinted at the lack of a stylus in the next device).  However, putting the same resolution on a smaller screen means that UI components now need to be huge.  It seems that this is a step backwards.  We will have more processing power, so we want a bigger screen, so we can do more with it.  Higher resolution, right?  Well, Nokia cheated at this.  By making the screen smaller, but keeping the resolution the same, they have a higher DPI, which will be percieved as a higher resolution.

But, is this really what’s best for Nokia and Maemo?  Nokia is clearly trying to get Maemo devices more mass-marketed.  They seem to believe, due to the low sales of previous internet tablets, that Maemo will be better off in a phone.  Phones just generally sell more.  Or do they?  Nokia advertised the internet tablets just about not at all, and Apple, with the iPod Touch, has proved that there is a market for a portable WiFi computing device that can fit in a pocket.  Sure, the internet tablets were designed with Nerds in mind, but I think that if Nokia worked on marketing the internet tablets, there would have been a bigger market.

However, this is the benefit of phones: Nokia doesn’t need to do any advertising.  Sure, there are advertisements for phones, but, generally, advertisements are for phone networks.  The network sells you the phone, and advertises for whichever one makes them the most money.  But, when you go in to buy a phone, all the phones are out on display, and you can pick which one you want.  Not once did I ever see an internet tablet “out on display”.  So, the phone market creates free advertising.

Overall, I’m disappointed that this is the direction that Nokia is moving with the Mameo platform.  I liked the internet tablets being a niche device that no one else has.  I enjoyed showing off my nerdiness by pulling a computer out of my pocket.  Now, it’ll just be another smart phone.  No big deal.  Everyone has one of those.

Woah.  Here’s a scary topic.  Talking about science and religion in the same blog post.  That’s dangerous.  Look, I even put them next to each other in the title! I must really be crazy. Or, more hopefully, I have some interesting thoughts.  Let me start out with a quote from the book (and movie) Angels and Demons:

Science and religion are not at odds.  Science is just to young to understand.

In preparation for going to Fermilab, my AP Physics C class has been learning about quantum physics and string theory.  I find all of this rediculously fascinating.  Yet, when I start hearing dates, it sounds like all of this was figured out so long ago.  Then, I look at the LHC (Large Hadron Collider), and realize that the greatest discoveries are yet to come, and are even within my lifetime.

For those unaware, I’ll start off with quantum physics (which we know to be true).  The scale of things in quantum physics goes like this: an object is made of atoms.  These atoms contain electrons orbiting a neucleus.  This neucleus contains protons and neutrons.  And (this is where quantum mechanics comes in), protons are made of smaller pieces called quarks.  Without going into too much detail, there are six types of quarks, but we only need two of them to make up protons and neutrons.  So, to make up everything we normally see, we only need two quarks and an electron.  This sounds nice, but it leaves some mathematical gaps.

This is where string theory comes in.  String theory says that these quarks are made up of tiny, vibrating bits of energy called strings.  Now, when I say tiny, I mean MINISCULE.  These strings are going to remain invisible to us for quite some time.  Also, there’s another problem.  In order for this to make sense, there needs to be not three or four dimensions, but eleven dimensions (one of time, three of space, and seven additional spatial dimensions).  Assuming that all of this is true, the math works out beautifully, and everything seems to make sense. (continue reading…)

I will continue to update this post throughout today and tomorrow with the latest developments of my caller ID research.

Sunday, 9:30 AM –I’ve discovered an interesting line while decompiling Comcast’s software (in an if statement which handles incoming messages):

(arg1.from[0].match(CALLER_ID_SERVICE_JID) || arg1.from[0].match(CALLER_ID_SERVICE_JID_TEST))

This means that comcast IS checking who the message is coming from.  Although, they seem to do something else if it’s not from one of these two addresses.  Also, what is CALLER_ID_SERVICE_JID_TEST?  I’ll have to do some more exploring!

Sunday, 1:44 PM — Hmm… some interesting declarations:

public static const CALLER_ID_SERVICE_JID_TEST:String=”vismedia02@comcast.net”;
public static const CALLER_ID_SERVICE_JID:String=”callerid_alert@comcast.net”;

Monday, 9:19 AM — I’ve discovered an interesting URL in the code — machenmusik.com — it’s the package for the caller id decoding function (so, the project should be hosted there).  However, it currently just gives a login prompt.  Very strange.  Anyway, I’m attempting to translate the caller ID decoding into python.  I’ll let others translate it from there.  We’ll see how this works out…

Monday, 3:18 PM — Well, after playing with the decompiled actionscript a bunch, I can’t get it to return any comprehensible output.  The same goes for the python I translated.  So, I’m kinda giving up right now due to lack of knowlege.  If someone else would like to pick up where I’ve left off, contact me and I can send you what I have so far…  It was worth a try, right?

Comcast has recently added a new feature to their digital voice service: caller ID anywhere.  Simply download a program on your computer, enter your comcast.net username and password, and you’ll get a small alert any time you get a call.  The same system allows comcast to show caller ID alerts on your TV.

So, how does this work?  Did comcast come up with some super-secret way to encode this data so no one but them can use it?  Nope; they’re simply using XMPP.

For those unaware, XMPP is a very nice concept: an open messaging protocol.  This means that companies don’t need to invent their own protocol, or shell out big bucks to use another protocol.  Just grab a server and client, and you have an instant messaging system.  XMPP is also designed to be expandible.  Is there a feature you need that it’s missing?  Just code it in, following the current specifications.  The problem with this is that different clients can conform to different specifications for things that aren’t part of the official protocol, but that’s another discussion.

Comcast decided to not reinvent the wheel, and just use XMPP, with a little twist.  If you already know a bit about XMPP, I’ll give you the stanza as a client receives it: (continue reading…)

A limerick:

There once  was a big, scary monster
… crap…

Inspired by: http://limerickdb.com/?257

No posts in a while
I have been busy with school
More soon, I promise

I’m sure you’ve seen the message before.  You try to log into a website you go to every now and then, and forget which password you used for it, or type something in wrong.  ”Sorry, this password is incorrect,” says the website.  You grumble to yourself and try again, paying little attention to the harmless message.  From a programmer’s perspective, it’s a bit more interesting than that.

With a SQL database backend, it’s quite easy to figure out a login problem.  It’s a simple matter of searching the databse for a username that is equal to the one the user entered.  If the password of that row matches the password the user entered (generally md5 encoded), then the user can login.  If it doesn’t, they get the “incorrect password” message, and if the username search returns zero rows, they get an “incorrect username” message.  Simple and secure, right?

Wrong.  The problem with telling the user that the password was the incorrect data entered is that it lets them know that the username is correct.  For someone legitimately logging into the website, this is great.  They know exactly what to fix, they fix it and move on.  For someone who doesn’t actually own the account, however, this message is a lot more interesting.

Potentially, a script could be written to try thousands, even millions of usernames all with the same password.  Once an “incorrect password” message is reached, the script can then try another list of thousands to millions of passwords, until it gets an account.  All automated, and very simple.

So, the solution is to not let the user know what’s wrong.  Just say “incorrect login details.”  Something is wrong, but we’re not gonna tell you what.  Good luck!  This will stop any username-guessing script.  Now, you can’t tell a valid username from an invalid username.  However, some websites like to have lists of their members, or the hacker may already know a username for some reason.  So, how do we combat this?

Login try limits.  After 5 failed attempts, lock out the IP address in question.  Any user who just typed something wrong should be able to get it right within five tries, and blocking the IP will stop from additional attacks.  However, some robots are more complex than this.

When it comes down to it, if someone really wants to get into your website, they will.  A botnet will millions of different IP addresses could foil the above scheme.  Additionally, proxies could get around this block.  It would seem that there is no way to keep a website secure.

The responsibility falls on the user, really.  Most websites say somewhere that if someone breaks into your account, they aren’t responsible.  Website admins should have really long annoying to type passwords, because they can easily save the password somewhere, and normal users should have passwords that are strong enough.  If you’re really worried that someone will break into your account, choose a better, longer password.

Or, do we need to go above and beyond passwords?  Is there a level of security past passwords that we have yet to reach.  A lot of computers now have fingerprint readers.  Could we have websites that require your fingerprint as your password?  How about an image?  A website could issue you a completely random image for your password.  You save this image, and have to upload it any time you want to login.  The image would have to be small enough to let dial up users be able to upload the image, but it could be big enough to be very, very random.

So, security isn’t perfect.  I doubt it ever will be.  If someone really, really wants to break into something, they will.  This is why we have jails.