TrueJournals

Before I really get into this article, I need to place a couple notes here:

1. This is a semi-technical post.  It assumes some knowledge of programming and how software works, but I’ll try to keep it as simple as possible.
2. I’ve done my best to not give away what application I’m writing about.  This is on purpose.  While this is an interesting look into hacking software, getting around DRM is, to the best of my knowledge, illegal.  This article is actually about reverse-engineering, not cracking software.
3. If the author of this application finds this blog post and thinks I’ve given away too much, they should please e-mail me and I’ll take it down.  If you think this article is about your application and it is not, however, I will not remove the article.
4. If you like software, buy it!  Seriously… software developers need to eat, too!

Now, let’s get into the bread and butter of this article!

(continue reading…)

A while ago, I was super excited to finally get a Google Wave invite.  Today, I barely ever used the service.  I just open it every now and then to see if anything’s happened.  Generally, it hasn’t.  But… Google Wave had so much potential!  It was touted as a killer web application!  What happened?  Wave had so much momentum, but it seems to have crashed, and gone into one of those experiments that Google toyed around with, but no one really cares about anymore.

First off, let me say that whether Wave succeeds or not makes little difference for Google.  Google is a company with enough resources to work on a major product, even if that product is a failure.  Google wanted Wave to replace e-mail.  This is where the whole “Federated Wave Servers” idea came from.  In order for Wave to be the new standard, companies had to be able to run their own Wave servers — Google couldn’t control it.  Besides that, Google already controls a good chunk of the e-mail market with GMail, so this was mostly a fun experiment for them.

But, still, it seems like something that should have succeed… or, at least, lasted a good amount of time.  But, Wave has quickly lost momentum and died in everyone’s mind.  The problem is that Google stopped innovating, and the Wave server never became very popular.  I don’t believe there have been any feature additions to Wave since it launched, and I’m not sure there’s any good source other than Google Wave to get a Wave account.

Wave died because Google seems to have abandoned it.  They released a product, and they appeared to have stopped working on it.  Wave is something Google needed to not only push to corporations, but also continue innovating, and releasing new features, and this never happened.  Google was unable to explain to potential customers why they need Wave, and this is where it failed.  I think this is slightly unfortunate, but I’m not very surprised.  While e-mail is antiquated, it still works, and it’s going to take a lot of push in order to move away from it.  Google didn’t seem to have any major corporations backing Wave, which also contributed to the failure.

Who knows… maybe we’ll see Google attempt to revive Wave with some new features.  Maybe it will come back for a couple months… But Google will have to work really hard to get the momentum and excitement about Wave going again.

I do, by the way, have 12 Wave invites.  I suppose you can comment here or contact me if you want one.  That’s a dangerous statement to say on the Internet.  Although Wave has died, I have a feeling there are people who never got in on the game, and are still looking for invites, only to find a product that no one uses.

I think this would be a good place to archive my explanation of NJoy programming.  I was asked about how the patterns in mce.ini for the n810 work, with PatternError given as an example.  This was my reply:

The different sections of the line are separated by semicolons. So, priority is the first part, then a semicolon, then the “ScreenOn” value, then a semicolon, etc. So, I’ll use your example and point out each section of the programming.

0;1;0;40002000200040ff200020000000;0000;0000

To make this easier, I’m going to assign an index to each section of the command. I’ll split the string up by the semicolons. We’ll say the first character (a zero, in this case) has an index of 1. The second part of the split (a one), has an index of 2, etc, etc.

0;1;0;40002000200040ff200020000000;0000;0000
Index 1 defines the priority. If two patterns trigger at once, items with a higher priority (lower number for this section), take precedence, because only one pattern can be going at once. Since the priority is 1 (0 being the highest priority, 255 being the lowest), this pattern will display instead of almost any other pattern (the exception is patterns that have a priority of 0)

0;1;0;40002000200040ff200020000000;0000;0000
Index 2 defines whether or not the pattern should fire based on what state the display is in. In this case, it’s a 1, which mce.ini tells us means “show pattern even when the display is on”. So, this pattern will display no matter what.

0;1;0;40002000200040ff200020000000;0000;0000
Index three gives the timeout. This can tell the pattern to stop firing after a certain amount of time. In this case, it’s a zero, which means that the pattern will never stop firing (unless it’s told to).

0;1;0;40002000200040ff200020000000;0000;0000
Index four starts the actual programming of the LED. Index four gives the programming of the RED LED. It also gets a bit more complicated here. We have to split this section up into strings of four characters each in order to understand the programming. This is what the pattern looks like, split into four-character strings, with each string separated by a pipe (|):
4000|2000|2000|40ff|2000|2000|0000
So, there are seven different commands given to the red LED. Let’s take a look at them one by one:

1. 4000 — This sets the brightness of the LED (anything starting with a 40 will change the brightness). I believe this tells the LED to turn off (0 brightness). I believe that ff would be 100% brightness.
2. 2000 — This bumps the brightness up over a certain amount of time. This gets REALLY confusing. The first two characters, 20, tell how long it should take to change the brightness. 20 is in the 01 – 3f range, so we get “short” steps. If I understand this, we get 19 “short” steps of time ~0.49ms, so this should take about 9.31 milliseconds. The next two characters, 00, defines how many steps in brightness the LED should take. 00 is no change, so the pattern will pause for about 9.31 milliseconds.
3. 2000 — Because this is the same command as above, this will also create a 9.31 millisecond pause.
4. 40ff — Again we see a 40. This says to change the channel brightness. This time, we’re changing it to ff, which should be 100% brightness. So, this command turns the LED on.
5. 2000 — This creates another 9.31 ms pause.
6. 2000 — This creates another 9.31 ms pause.
7. 0000 — This tells the pattern to loop (“jump to the start of the pattern”).

So, the red LED will turn off, pause for (2*9.31 ms =) 18.62 milliseconds, turn on, pause for another 18.62 milliseconds, then loop.

0;1;0;40002000200040ff200020000000;0000;0000
Index five gives the pattern for the GREEN LED. This is a very exciting pattern. It simply tells the pattern to repeat again and again and again. So… nothing happens with the green LED.

0;1;0;40002000200040ff200020000000;0000;0000
Index six gives the pattern for the BLUE LED. Again, very exciting. The blue LED does… nothing.

I hope this helps you understand how the programming works.

I’m sure you’ve seen the message before.  You try to log into a website you go to every now and then, and forget which password you used for it, or type something in wrong.  ”Sorry, this password is incorrect,” says the website.  You grumble to yourself and try again, paying little attention to the harmless message.  From a programmer’s perspective, it’s a bit more interesting than that.

With a SQL database backend, it’s quite easy to figure out a login problem.  It’s a simple matter of searching the databse for a username that is equal to the one the user entered.  If the password of that row matches the password the user entered (generally md5 encoded), then the user can login.  If it doesn’t, they get the “incorrect password” message, and if the username search returns zero rows, they get an “incorrect username” message.  Simple and secure, right?

Wrong.  The problem with telling the user that the password was the incorrect data entered is that it lets them know that the username is correct.  For someone legitimately logging into the website, this is great.  They know exactly what to fix, they fix it and move on.  For someone who doesn’t actually own the account, however, this message is a lot more interesting.

Potentially, a script could be written to try thousands, even millions of usernames all with the same password.  Once an “incorrect password” message is reached, the script can then try another list of thousands to millions of passwords, until it gets an account.  All automated, and very simple.

So, the solution is to not let the user know what’s wrong.  Just say “incorrect login details.”  Something is wrong, but we’re not gonna tell you what.  Good luck!  This will stop any username-guessing script.  Now, you can’t tell a valid username from an invalid username.  However, some websites like to have lists of their members, or the hacker may already know a username for some reason.  So, how do we combat this?

Login try limits.  After 5 failed attempts, lock out the IP address in question.  Any user who just typed something wrong should be able to get it right within five tries, and blocking the IP will stop from additional attacks.  However, some robots are more complex than this.

When it comes down to it, if someone really wants to get into your website, they will.  A botnet will millions of different IP addresses could foil the above scheme.  Additionally, proxies could get around this block.  It would seem that there is no way to keep a website secure.

The responsibility falls on the user, really.  Most websites say somewhere that if someone breaks into your account, they aren’t responsible.  Website admins should have really long annoying to type passwords, because they can easily save the password somewhere, and normal users should have passwords that are strong enough.  If you’re really worried that someone will break into your account, choose a better, longer password.

Or, do we need to go above and beyond passwords?  Is there a level of security past passwords that we have yet to reach.  A lot of computers now have fingerprint readers.  Could we have websites that require your fingerprint as your password?  How about an image?  A website could issue you a completely random image for your password.  You save this image, and have to upload it any time you want to login.  The image would have to be small enough to let dial up users be able to upload the image, but it could be big enough to be very, very random.

So, security isn’t perfect.  I doubt it ever will be.  If someone really, really wants to break into something, they will.  This is why we have jails.

Every now and then when working on a program, I like to have a brainstorming session.  Usually I’m just lying comfortably in my bed, thinking of how I can expand a program more, remove bugs, or make it quicker or more stable.  Last night, I had a brainstorming session for tear bookmarks, and I thought I’d share my notes with everyone who reads this.

My brainstorming session basically consists of my tablet running xournal.  I get nice lined notebook paper, where I can write down any ideas that pop into my head.  I can then look at that later and go “No… that won’t work” or “Hmm… I might be on to something,” and try to implement it.

So, if you’d like to see what I’ve been thinking about for tear bookmarks, look at the following PDF: 2009-04-22-tearbookmarksbrainstorm.  Enjoy!