colin dellow's bln

NAFTA: Finally doing something for me

2008-06-16T21:35:00.005-04:00

I bummed a ride to Buffalo and got my TN status today: the official start of my career in computer security...or is it?

The process was pretty seamless. In fact, I didn't get fingerprinted, I didn't get grilled, and I didn't have to explain to the officer what to put on the form and where to sign it: it was easier than J-1 status!

The worst question was: "Any criminal record, arrests, or things we should know about?"

Since I got the TN status, you may infer that I answered no. But I had to give it some thought, especially after receiving my graduation gift from my parents this weekend:

Yes, it's a copy of my middle-school suspension notice, informing my parents that I had been suspended for computer hacking.

Apparently, I had the distinction of being the first student to be suspended for violating computer rules. It shows: my crime (keylogging a variety of computers) is described as violating copyright; the school's system administrator had a dictionary-attackable password; and, after a stern talking-to, the school librarian returned the floppy disk with the erased keylog file.

A few clicks later, and I had resurrected the list of usernames and passwords that she had erased. Mmmm, data.

So is my TN the official start of my career? Or is it just the next logical step, which will defeat attacks as naive as simple keylogging? I look forward to finding out!

1 degree of separation

2008-04-23T14:59:00.003-04:00

I wrote my last exam, ever! Fittingly, it was of the cattle-herding variety in the PAC. Far from making me feel that my university experience was a generic, one-size-fits-all dehumanizing experience, this fact rejuvenated me: even downed cows get dragged off to market to be sold for beef.

Tripping in Europe

2008-04-18T15:41:00.003-04:00

Check out our travel blog for the trip Jenn and I are taking this summer.

(That's right - now I have two blogs to neglect!)

Life-altering decisions

2008-01-28T00:28:00.000-05:00

Please note that you might think that making life-altering decisions, like selling your home, breaking a lease, taking a trip abroad before starting your new job, or giving notice might be logical and immediate steps after receiving an offer from Microsoft, but if you are a visa-dependent candidate, these types of decisions can cause problems in the immigration process.

Please wait to may any life-altering decision until after you have spoken with our immigration team for advice. This will ensure a smooth transition to Microsoft.

Oops.

Windows CardSpace and me

2008-01-14T16:51:00.000-05:00

I've accepted a job with Microsoft, where I will be working on Windows CardSpace.

Cows, part 2

2007-12-29T17:30:00.000-05:00

In Grade 9, I wrote a program to download comics and newspapers from the web^[1] and display them in a whiz-bang DHTML page (that's right, back in my day we called it DHTML, you young whippersnappers, none of this new-age AJAX crap.)

Anyway, to drive this, I realized I could write a bunch of painstaking code to generate the URLs to download the images, or I could write some sort of text-based configuration file that would drive the program.

That worked well for simple cases. Over time, distributors got tricky: the URL for their image had some custom string in it that you could only get if you loaded a specific page on the given day. And you had to have a specific Referer, too! This required a complex pattern matching system. I realized I could write a bunch of painstaking code to match the patterns I needed... or I could look into this thing called regular expressions that I had kept seeing people use on the MOO.

As always, I didn't have a deep understanding of what they were, but seeing what they could do pretty much blew my 14-year-old mind away.

And thus, I committed my first act of (unintentional!) intellectual property theft by including the regexpr package from the LambdaMOO server into my program wholesale. "Attribution? What's that?" Consider this a mea culpa and a fix after the fact.

[1] I now understand how older folks feel when they say "it was the 70s," as if the date somehow excuses their pastel leisure suits. It was the 90s: back then, if you were on the web and didn't have enough popups and banner ads to induce seizures in rates competitive with modern Japanese anime, you were a nobody.

Cows, part 1

2007-12-29T00:46:00.001-05:00

I first learned to hack code in BASIC and Pascal, but the language that truly brought me into the inner circle of real programmers was the MOO language. Invented at the famous Xerox PARC facility, MOOs were programmable, object-oriented, networkable, multi-user, concurrent, distributed environments. Every nerd's wet dream.

An icon of MOO days was yduJ ("rhymes with fudge"), who wrote a few tutorials on the inner workings of MOOs. I am convinced that if a CS grad cannot explain all the concepts touched on in the MOO Lore Pamphlet, they should get a hard spanking and a stern talking-to. Although I didn't realize it at the time, the pamphlet mentions:

network latency
usenet
virtual memory and paging
concurrency
timeslicing
caching (and arguably, memoization)
event-based programming
heritability of security permissions
setuid
spoofing attacks
stack walking

Sadly, the MOO where I truly learned to code is now basically a museum relic - it's once-youthful population has reached old age (i.e., kicked out of our parents' basements) and has moved on. Mostly to Google, it seems.

Stupid VIM tricks, part 1

2007-12-28T02:09:00.000-05:00

To insert a GUID into your document simply by typing 'guid', toss this into your .vimrc:


imap guid <esc>:r! C:\path\to\uuidgen.exe<cr>k$Jx40la

The k$Jx40la does as follows:

k -> move up one line
$ -> go to end of line
J -> concatenate line below with this one
x -> delete the space that concatenation created
40l -> move cursor right 40 spaces (length of a guid)
a -> return to insert mode, with cursor positioned where it was before we started

A momentous occasion

2007-12-21T20:07:00.000-05:00

Hi there,

April 30th, 2008.

I greatly dislike your company. The quality of your service is subpar at best, and your website is an exemplar of the sort of functionality that a 12-year-old with FrontPage 97 could provide if you bought him off with a crisp twenty dollar bill.

I cannot wait until the day that I am free from your company’s shackles -- that day will be April 30th. It will be a joyous day, marked with tales around the now-silent TV, amid the unblinking glow of the LEDs of a router that is no longer connected to the intarwebs. There will be champagne for the adults and fizzy ginger ale for the kids. In fact, my fiancee and I are contemplating changing our anniversary to April 30th to forever remember the most special day in our lives. It's either that or get married on that day -- as math majors, the symmetry of us joining together while simultaneously dissolving our union with you has a certain aesthetic to the two of us. Whatever we choose, the champagne is chilling and the fireworks are waiting (in a cold, dry storage area - your concerns for our safety are noble, but we’ll live to see the day we sever our ties with Rogers if it kills us).

That said, I want to pay you hundreds of dollars!

Sorry... did that seem like I wasted a lot of time just so I could pay you money? Yup, that’s about how I feel every month when I try to pay you.

Anyway, I would love to pay you, but I can't! Apparently, since signing up for a Rogers Home Phone account, I am unable to view/pay bills for my Rogers services until I link my Rogers Wireless account on to my One Bill.

I don't get it - I don't have a Rogers Wireless account. Oh, I see. The Home Phone, which is not a wireless phone in any sense of the word, is a Wireless account. Duh. So I click on Combine Your Bills. Uh oh - 500 Internal Server Error. Let’s try that again. Hey it worked! In fact, it worked really well: "The Wireless and Cable accounts you have registered to this User ID are already subscribed to Rogers One Bill."

Oh, I see. I have to register my Wireless account with my One Bill. It’s part of the One Bill, just not registered with the One Bill. Duh.

I phoned your customer support number to get the information needed to register my account. That was fun. "Home phone." "Billing." "Home phone." "Human." "Billing." "Home phone." Clearly, the 12 year-old felt $20 was too much payment for the website, so he chipped in on the classy speech-recognition part of your telephone system.

The one redeeming point of this could have been your customer service rep: she was almost able to answer my question: "what’s my account number?" Sadly, we got sidetracked with updating my contact information - do I have an email address? Do I have a phone number?

Yes, Cathy, I do have a phone number. Now that I’ve paid my bill, I’ll have a phone number for another 131 days.

Colin

Rock Band

2007-11-26T21:12:00.000-05:00

I was stranded in Vancouver on my return from Toronto this weekend. Luckily, Sarah & Andy put me up overnight and I got a ride back with Andy, arriving just in time for Monday's team meeting at 1PM.

During the pre-meeting chitchat, a colleague was talking about the highly-anticipated Rock Band game that he had just managed to get a copy of this weekend. After some back and forth about how cool the game was, I noted...

"Funny. I, too, purchased a rock band this weekend..."

Jenn and I are engaged as of November 22, 2007.

How do you recognize a good programmer, part 1

2007-11-23T17:53:00.001-05:00

...he catches exceptions without even trying.

Zune 2: Wow

2007-11-15T09:37:00.000-05:00

Zune 1 was a standard V1 offering: clunky hardware, software that was a bloated reskin of Windows Media Player 11. I understand.

Zune 2 is a total revamp. Custom software written on the UI framework that powers Windows Media Center. It looks amazing. And, for a subscription music fiend like me... it rocks to have all this music at your fingertips. (Click the thumbnail to get a bigger version.)

Music collection, viewing songs by R.E.M.

Music marketplace, main page

Music marketplace, viewing songs by Rolling Stones

Now playing mode (warning: full screen on a pretty big monitor)

Rogers really sucks

2007-11-12T04:52:00.001-05:00

I got an email from Rogers -- I can get a sneak preview of their new website!

Naturally, I assumed this was because of my well-known love of their current website.

The new website? It starts by asking you to identify your province.

In a Flash applet.

Well done, Rogers.

PS - If you visit the current rogers.com in Firefox with JavaScript disabled, you get a 500 Server Error. Seriously? Seriously.

Rogers sucks

2007-11-05T03:44:00.000-05:00

I hate Rogers.

Just casting another vote.

(Yup, "We are currently experiencing system problems. Please try again later, or call one of our Rogers e-Care repesentatives at 1-877-343-5745." Nice use of the word "currently", to imply there's some sort of ephemerality to the situation.)

Random Thoughts from a Weekend in Cleveland

2007-10-29T03:25:00.001-04:00

Congratulations Rick and Lindsay on a year of marriage and your official start as a Catholic couple this past weekend.

The wedding mass was very nice and was followed up with some very heartfelt toasts at the reception. In particular, I was impressed by the toast of the best man -- Rick's high school buddy, Mike Bishara -- who told of having to relay the details of Lindsay's almost-four-hour-long triple-overtime Harvard game to a smitten Rick when his internet went down.

Congrats, you two - you'll have to post an update when you have your wedding photos ready for public distribution!

Colin

PS - Security theatre took place at the Cleveland airport as TSA officials tried to convert millilitres to ounces. "75 ml. It don't look too big." "Au floristat?" "Is this 3.4 ounces?"

Heard at NEO

2007-09-19T08:30:00.000-04:00

At Microsoft's New Employee Orientation, they were impressing upon us the diversity of the company. "What country are you from?"

"Canada"
"Trinidad and Tobago"
"Iran"
"England"
"Quebec"

...about half the room got the joke, but not the presenter.

The Joy of Being a Globetrotting UW Co-op Student

2007-09-17T00:55:00.000-04:00

Money is a giant pain in the ass - why can't it all be a lot smoother?

I'm writing this because I'm sitting down to pay the month's bills. Comcast, Rogers, Puget Sound Energy, BRE Trails, Visa cards, and ISTA, oh my! And, of course, Rogers's website is down. Again.

When (if?) I successfully pay these bills, I will get to go forth and scatter bills for the amount paid via social money management tools, such as my favourite, BillMonk.

In the two years that we've used BillMonk to track the shared expenses in our households, I've racked up $46,723.83 of "stuff". That's not necessarily $46,723.83 of expenses, mind you. Some of it is, of course: rent, utilities, entertainment, food, furniture. But some of it is just paperwork to shuffle debt from person A to person B to make settling up easier -- these line entries can add up, as person-to-person lines of credit often get close to four figures during a semester. Some of it is neither expense nor accounting acrobatics: BillMonk is currently tracking multiple security deposits that I jointly hold with four other people totalling $1,921.16.

Why do we even have to think about this stuff? Where's the infrastructure to allow multiple people to commit to expenses jointly and seamlessly? Failing that, where's the infrastructure for people to autoapprove bank transfers to specified individuals (not corporations) up to specific dollar amounts?

The Pareto principle likely excludes me from getting the kind of banking and money management scenario I want, since I suspect my experience is pretty far outside the bell curve of normal. Relocating (with new housemate, nonetheless) every four months has its downsides. I can't wait for this to be over.

Comments on Amazon

2007-09-12T23:37:00.000-04:00

One great thing about the Internet is you can rarely tell strictly from the text whether a person is being gut-wrenchingly sincere or devilishly deadpan. Take, for example, this review for the boardbook Guess How Much I Love You:

A minor concern: The characters are Little Nutbrown Hare and Big Nutbrown Hare. For those of us with mild dyslexia, it is too easy to refer to them as Little Brown Nut-Hair and Big Brown Nut-Hair, which is very different and considerably changes the tone of the story. I accept that this may be my personal problem, and I don't even believe it is appropriate to share it in in this format.

Win the battle, lose the war

2007-09-02T02:39:00.000-04:00

I've chatted in the past year with my father and Dan about merchants asking for photo ID when making Visa purchases. Turns out, this is against Visa's Rules for Merchants.

So, while making a purchase today, I refused the clerk's request for photo ID. In his ignorance of the rules, he would not permit the transaction to go through. However, after escalating the issue to his manager, I successfully made the purchase without showing ID.

On the downside, this was done in the US. And to get in to the US, I was incorrectly asked to present my fingerprints and smiling face for the record. As I didn't have the balls to challenge Mr. R. Chai, the friendly customs officer, my biometric data is now sitting in one more database. Thanks, Department of Homeland Security -- that's one more terrorist that will never slip through your borders!

Customer service done right

2007-08-17T07:58:00.000-04:00

Better Bitters Brewery
Despite being a small microbrewery, Better Bitters (maker of the tasty Nickel Brook Green Apple Pilsner) was eager to give us a tour. Or rather, the owner, who was a very affable guy named John Romano, was eager. Despite being busy, John walked us through the process they used to create great beers and even included a sampling of how beer tastes at various stages in the production process. Consummate small business attention to the customer throughout -- we've since finished the six cases we picked up from him. I wonder if they have Nickel Brook in the States? ;)
Feedjit
Feedjit is some new whiz bang web 2.0 thang. What kind of thang in particular is not important.
What is important is that after e-mailing the creator about a bug, I got a response confirming the existence of the bug and apologizing for it within 2 minutes. The bug was fixed within an hour. I received an email from the creator notifying me within an hour of that. Impressive!

CookieInjector, part 4

2007-08-15T15:12:00.000-04:00

Having demonstrated how CookieInjector works on a day-to-day basis, the next question is: how do you tell CookieInjector what your passwords are? How do you get that snazzy Cookie Monster card?

By using the CookieInjector Configuration tool, as demonstrated in the following screencast.

CookieInjector, part 3

2007-08-14T13:15:00.000-04:00

I've got a first cut of an end-to-end CookieInjector session - check out a sample video below, where I log in to Gmail and Quest (my university's student management system). When logging in to Gmail, I actually log in twice, to demonstrate that separate sessions are being created.

Note that the Cookie Jar claim value holds all the cookies needed to log in, but the display value is simply a hash of the cookies. It's basically a placebo for the user so they know that something happened.

When logging in to Quest, I skip the preview/retrieve steps and do a one-click log in.

This demo should illustrate the concrete improvements that CookieInjector and CardSpace give us:

consistent UI for authentication to different websites
centralized tracking of authentication
- ...you can't see it, but my IP/STS records every time I authenticate to a specific service
and, of course, you never need to enter a primary, long-lived password at a web site!
- ...this has other ramifications, too: if I want to allow my housemates access to the online portals that show our internet, cable, and power bills, I can do that by granting them their own cards that are allowed to authenticate to a subset of my accounts

ECE 493: Security

2007-08-12T23:37:00.000-04:00

While studying for my ECE 493 exam, I accidentally stumbled on to two large security holes at a major multinational utility provider and a major multinational bank.

I wouldn't care, but c'mon, with revenues like they have, surely they can afford a code review or two.

CookieInjector, part 2

2007-08-12T15:59:00.001-04:00

CookieInjector can now log me in to Bank of America, Bloglines, DreamHost, Facebook, Gmail, RBC and TD Canada Trust. I am deeply indebted to Eric Lawrence for his Fiddler HTTP/S traffic sniffer.

One major lesson I have learned: banks have convoluted, mostly-broken web sites.

So far, I just have two of the components functioning:

The library component to securely store passwords, authenticate to sites, and return the list of cookies

The browser helper object to recognize when we are at a site for which my system can handle authentication

Still to do:

Extend the BHO to invoke CardSpace using my CodeCompete SSL cert

Write an IP/STS that shreds incoming requests, invokes the appropriate authentication, and returns the cookie

Now that CardSpace has an official icon, supported webpages automatically get the following overlay when the more secure form of authentication is available:

CookieInjector: The Idea

2007-08-10T00:08:00.001-04:00

Three things you may know about me:

My UW password (and thus, my GMail, TD Canada Trust, Bank of America, and cldellow.com passwords) were recently exposed by the ineptitude of my university

I dislike multi-factor authentication schemes that have become popular at banks recently. They aren't truly multi-factor and they result in more work for me.

CodeCompete, which started in May, is now finished, so I have a spare SSL certificate kicking around.

Granted, the widespread nature of (1) is my own fault. I trusted my university not to expose my password, and thus I was sloppy and used the same password in multiple places. Bottom line: accidents happen, passwords get leaked. Plan for it.

So, once bitten, twice shy. . .

The above is my vision of a tool I've named the Cookie Injector. It is composed of two parts:

An IP/STS residing on my machine, that knows all of my passwords and has the ability to automatically talk to web-based authentication servers (e.g., google.com, uwaterloo.ca) to exchange my passwords for HTTP session cookies; and

A C#.NET application that can invoke CardSpace to retrieve a token from the above IP/STS, extract the session cookies, and inject them into Internet Explorer on the given computer

Ideally, this will allow me to:

have different passwords for google.com, microsoft.com, tdcanadatrust.com, bankofamerica.com, and uwaterloo.ca; and

not remember a single password, ever; which means:

I'll never type a high-value or long-lived password into an untrusted machine

I'll have complex, hard-to-remember passwords

...which can change on a weekly basis, automatically

I'll be tinkering with this over the next month or so, and will publish any interesting progress.