Back in the late 80s, I earned my living by hacking hard disk and floppy controllers.
With this kind of history, I was floored by Hard disk hacking,
in which Jereon aka Sprite_tm describes his reverse-engineering journey into hard
disk controllers.
Jereon also held a
presentation on this topic at OHM 2013.
I wasn't there, so I cannot wait to see the
video recording to show up on the
OHM2013
web site. If, like me, you are a reverse engineer deep down in your heart, this article is a must-read for you.
It shows how with a little bit of hardware tweaking, but mostly systematic and logical thinking and
debugging, hard disks can be hacked so that they will present fake contents to users - which is a
very troublesome thought to anyone concerned about security.
In one of those startling coincidences, just before I found Jereon's article, I had dug up old 8085 programming
manuals at home.
8085 CPUs were used in the controller hardware used for Atari's SH20x and Megafile hard disks (I specialized into Atari hardware in the 80s and early 80s).
My plan back then was to learn enough about 8085 assembler and architecture so that
I'd be able to disassemble and reverse-engineer the controller's firmware. That project never got too far,
unfortunately, and so I am really happy to see that a new generation of coders is fascinated by the same
idea and, unlike me, follows through. Bravo!
HTTPS (30 Jul 2013)
Now we know for sure that way too many countries mistook "1984" for a training manual, including Germany.
It is about time to teach myself about security and cryptography.
Hartley Brody's
"How HTTPS Secures Connections: What Every Web Dev Should Know" happened to float by on Hacker News (IIRC) the other day. For me, it was a great start to
start exploring this wide field.
Key learnings:
- Certificates are required to authenticate communication partners. In other words, make
sure you are really talking to your bank and not to someone who enjoys spending
spare time on building web sites which look surprisingly like your bank's
- Following authentication, a "common secret" is established which is henceforth used
to encrypt communication contents. The magic sauce is the
Diffie-Hellman-Merkle algorithm.
Algorithms like this make it possible to exchange enough information in the open
to establish this common secret.
- For performance reasons, subsequent encrypted communication is symmetric.
Which pushes the following items on my reading/viewing list:
Over the years, I collected implementations of an algorithm to solve the
subset sum problem
in various languages. A few days ago, I experimented a little with Python, and
here is the deplorably non-idiomatic and naïve result - apologies offered.
import random
import array
import sys
numbers = array.array('i')
flags = array.array('c')
solutions = 0
def find_solutions(k, target_sum):
global solutions
if target_sum == 0:
print " Solution:",
for i in range(0, len(numbers)):
if flags[i] != 0:
print numbers[i],
print
solutions = solutions + 1
else:
if k < len(numbers):
if (numbers[k] * (len(numbers)-k+1)) >= target_sum:
if target_sum >= numbers[k]:
flags[k] = 1
find_solutions(k+1, target_sum - numbers[k])
flags[k] = 0
find_solutions(k+1, target_sum)
def find_subset_sum(target_sum):
global solutions
global flags
print "Subsets which sum up to %s:" % target_sum
flags = [0] * len(numbers)
find_solutions(0, target_sum)
print "Found", solutions, "different solutions"
def subset_sum_test(size):
global numbers
total = 0
print "Random values:\n ",
for i in range(0, size):
numbers.append(random.randint(0, 1000))
total = total + numbers[i]
print numbers[i],
print
numbers = sorted(numbers, reverse = True)
target_sum = total/2
find_subset_sum(target_sum)
subset_sum_test(15 if len(sys.argv) < 2 else int(sys.argv[1]))
Just watched demos for Vaadin and Play to get first impressions.
In both cases, I liked what I saw, but of course I need to learn a lot more about those frameworks
to see when and for which kind of projects I would choose either Vaadin or Play over Spring MVC,
which I have been using professionally for a while now.
It's obvious, however, that Spring MVC and Play share a similar, web-oriented notion of the MVC pattern, while I am not sure whether MVC plays much of a role in Vaadin at all, with its focus
on
RIA and one-page web applications.
(In Vaadin, I guess MVC would be applied in a way similar to desktop apps.)
Bevor dieser Phishing-Versuch aus dem Spam-Ordner fliegt, muß ich ihn festhalten - diese
Email ist einfach zu putzig.
Betreff: Würdiges Angebot von haltbarer Holdinggesellschaft!
Sie haben ausgezeichnete verwaltungsmäßige Kenntnisse, ausreichende Fertigkeit im MS-Office.
Sie sind aufmerksam, organisiert, repräsentativ, zuverlässig und pünktlich, bewandert im Gebrauch von sozialen Netzwerkseiten wie Twitter und Facebook.
Außerdem können Sie gleich in der Belegschaft und unabhängig arbeiten, verstehen und durchführen Sie Erfolgsorientierte Instruktionen, dann suchen wir Sie.
Haben Sie Interesse für diesen Job, bitte, senden Sie uns Ihre Kontakt-Information:
Voller Name:
Land:
Stadt:
E-Mail:
Bitte bewerben Sie uns per Email für weitere Beschreibung:xxx@yyy.com
Hier will jemand auf recht naïve Art Emailadressen sammeln, um sie für Zwecke
zu verkaufen, die vom Abseitigen zum Verabscheuungswerten reichen. Nicht weiter der Rede wert eigentlich - abgesehen davon, daß das Deutsch mal wieder so entlarvend spaßig ist, daß man sich fragen muß, wer
auf solche Email wohl antworten mag.
Die Phishing-Kampagne verwendet als Lockvogel die Begriffe "Würde" und "Haltbarkeit" (Nachhaltigkeit),
um den vermeintlichen Arbeitgeber attraktiv zu machen. In diesen unseren Zeiten des Raubritterkapitalismus
fast schon ein erfolgversprechendes Rezept, denn genau wegen dieser Begriffe blieb ich an der
Nachricht hängen. Liegt aber sicher nur an mir...
Finally, after all those years, I got around to reading "JavaScript: The Good Parts" - pretty
much from cover to cover.
All in all, a great book! However, it left me even more confused about
how JavaScript sets "
this" than I was before. Fortunately, I found the discussion at
http://stackoverflow.com/questions/3127429/javascript-this-keyword and the article at
http://www.digital-web.com/articles/scope_in_javascript/ which both clarified
open questions for me. But I am pretty sure I will forget JavaScript's context subtleties
fairly quickly, and then I will have to look them up again. Oh well.
Crockford's approach is to focus on a subset of JavaScript which he considers sane,
Of course there is much debate on what belongs into the subset and what doesn't.
For example, Crockford bans the
++ and
-- operators because they remind
him too much of obfuscated C++ code. I did not find this particular advice too convincing, and it
seems
I am not alone.
To experiment with code from the book and test some code of my own, I used the
jsc
command-line JS interpreter on the Mac, and also toyed with
http://jsfiddle.net/.
(On Ubuntu, I guess I could have used
rhino.)
Older topics...
Add a new blog entry.