Friday, March 28, 2008

Building chat protocols with security and privacy in mind

Many creators of chat programs just sit fown and write the chat protocols without considering much of security and privacy protocols to be implemented within their chat protocols. MSN, Yahoo Messenger ... they are not really designed to handle security and privacy of messages.

A solution is to simply create a protocol from the very start, to handle privacy and security like encryption of messages , in the native protocol itself, and also leaving space for the expansion of future encryption protocols and security protocols in the chat protocols.

In all softwares and protocols, we MUST always consider security and privacy while designning softwares and protocols while the Information Technology age is filled with uncertainty... hackings... malwares , sniffing of network packets...etc.

Another way to implement security and privacy of the current protocols (including those not designed to handle security and privacy), is to create a software where you can allow it to sit on selected ports (according to which chat protocols you are using), with a friendly GUI interface with full user controls over the actions of this software without any backdoors or hacks and what this software does is to receive packets sending out of the network ports and encrypt the packets and on the receiving end, receive the packets and check if it's encrypted. If the packet is encrypted, it would decrypt it according to what kind of encryption is used.

In simple terms, a software would sit on the required ports with the user's full permission to intercept packets the user is sending out and encrypt it if the order is given and to decrypt received encrypted packets, all done without any hassle and trustworthy to the users without betraying the user.

Afterall, the best way is to create a protocol with security and privacy in mind from the beginning so that it would be more secure.

Monday, March 17, 2008

Next Big Thing in Database techology

This is my perosnal opinion of what might be the next big thing in database technology.

When you insert your datan into the database files, the data files of the database are plain and clear...simply, clear text. It's notprotected by anything.

How do you secure your database files then ? Simple... just encrypt it. What happen if you need to do a JDBC or ODBC call to your database and the data flowing through the channel(s) are sensitive? You could encrypt the data . One of the encryption technology you can use to encrypt your JDBC or ODBC is SSL.

In simple terms, the next big thing in database technology is higher security and protection to your database and JDBC / ODBC connections. I think the reason why such a growth in encryption channels is because of the inseurity of the netowkr and the Web. We are constantly under survillence not just by government agenices, but also by hackers and malicious users. These entities would be more than happy to gain quick access into your database and look at your things, and for hackers... they would make a bad mess or harvest the data in your database.

I am a member of a couple of forums and two out of the few forums I am a member, have been hacked. One of the forum had the database data being harvested. Personal information could be leaked.. like private email addresses and passwords. We could change the forum membership passwords when the forum is restored. Most of us use a small amount or even just one password for emails, forum access ...etc. The hackers may have guessed it and use the forum membership password to hack into and try to access your emails and other accounts related to you.

You could spend your time coding the codes to tunnel JDBC / ODBC connection through SSL or you could have your work done by the database (which means the creators of the database have already done that for you). You may want to encrypt every byte before loading them into the database or you could have the database engine do that for you.

H2 database system does just that. H2 JDBC connector allows users to tunnel JDBC through SSL by specifying it in the JDBC connection and it's just that simple. You do not need to code the tunneling yourself. H2 database system also allow an option for the user to select whether to encrypt their database or not to. H2 supports AES encryption and XTEA encyption algorithm for the database file level encryption. Like the JDBC/ODBC SSL, all you need is to specify it in the JDBC connection and leave the database to do the rest for you.

H2 database system: http://www.h2database.com/html/frame.html

The future of database systems could be more about the emphasis of security and privacy.

Monday, March 10, 2008

A possible way to protect disk encryption...

By now, many would have known that disk encryption is getting vulnerable because of the weakness of the designs of disk encryption where the encryption key is stored in the RAM. Rather than storing encryption keys, It would be useful if future software disk encryption designs would prompt user for the keys or passwords rather than storing it. When lock screen or hibernation or sleeping mode is engaged, the RAM could wipe out the key from memory so the next time the user wakes up the system, the user would need to key in the password or key again. When the computer is shutdown, the key can be wiped off after encryption of the data. To take to another step of security, rather than just wiping off, replacing the data with fake random data or turning the data into blanks or unused segments or sectors would be rather useful. The only thing left for the user to lose their data other than brute attacks to logins or crypto-attacks is for the user to be careless either to spill it out or leave the computer unlock while away.

There maybe other ways to improve disk encryption. But this is the best I can come up with for now.

Maybe, another way is not to apply a full disk encryption ... rather a file encryption.. so the only way to open the file is for you to authenticate it in some ways.

Dynamic Server

As many IT people may know, many servers need to run on a static IP address. What if you do not have the money to get a domain or you don't wish to or if you are just setting it up at home for home use for your server applications or if you are a bit more ambitious to allow both home and public use ? How can a server be created so that not only could you put it into a normal home network (usually home network are on DHCP) ?

I have thought about this problem and I have came up with a theory to solve it. Since your server apps is residing on a DHCP based network and it's not possible or out of your technical knowledge reach (for non-geeks) to have a static IP, your server apps can use bit torrent technology to help you out.

Simply, your server apps should be able to detect a change of your server's IP address and it would quickly grab it's new IP address and somehow format it and load it as a torrent and publish it and also send a message to clients that are still connected , the new IP address. You may want to create a bit torrent similar structure. When your client notices that the IP address of the server is changed, they may want to access a certain torrent or bit torrent like structure for the new IP address. Why use a bit torrent like structure ? Because of the ability of bit torrent to publish and spread data quickly. It's best to make use of the bit torrent currently availbale rather than your own structures because bit torrent is so widely available and well known, thus making availability not an issue. You can just seed your data and it would be published.

If you have an array of mirrors for your server apps , the array of IP address can be released within the torrent and thus making availability not an issue.

An example, if by some means such a theory were to be incorprated into webpages and if the main Wikileaks go offline and Wikileaks publish in a torrent the range of IP addresses of other servers, it would become very available.

If you have a server apps on your laptop and you are always on the road, people can easily connect to your mobile laptop via the above theory easily... as long as your laptop is powered up and your server apps is online.

I hope some great minds with a sense of liberty and security would fulfil this theory and make it possible and open source and allow full and unhindered access within biasness or discrimination so that it can benefit anyone and everyone.

Maybe who knows one day, the internet maybe truely mobile where your webpages are stored on your laptops and are mirrored to your desktops and other user's desktop allowing access without the need of a static server. The only thing left to be concerned is security because if you store data on someone else desktop as mirrors to your actual stuff, someone might play with your contents.

The future of the Web would be P2P with wings rather than static servers...

Friday, March 7, 2008

Unmanned Space Droids

Read:

http://www.msnbc.msn.com/id/23512686/


The alternative would be unmanned humanoid droids with small booster engines and robust communication systems and fault tolerant systems. By the standards of current chip and processor technology and huge improvements to robotics technology, I don't see why it would be hard to make a couple or an army of unmanned humanoid droids for space as repair crews , pilots and reconn units. The Japanese managed to create child size robots with good amount of intelligence and even the capability for robots to learn. If the technology were to be used for these space droids, missions would be less risky and if you lose a robot ... it would be less painful than losing a living human and robots can be far more tolerant and longer lasting than humans. you don't need the robots to have very very good leg walking skills which many robots still lack ... all you need is small thrusters on the robots to move them around. If they need 'food', they can just be plugged in and recharged or they maybe able to carry a mini solar panel array so they can continue their work for longer period of time. Like unmanned UAVs, all they need is a ground control station or a couple of stations and backup system that are fault tolerant. If staff on the ground want to inspect and repair,they just need to remotely control the robot from Earth to carry out missions directly or crews from the Space Station can use an inbuilt control center too.

I think it all needs 4 years of intensive research and the robots would be fine on their way.

A module for housing the robots and recharging them should be used as a package too.

Virgin and SpaceX can be considered for supplying and transportation.I think it's time for cooperation between government and public sectors to improve space technology instead of any hold backs.

Sci-fi and games are becoming more real as technology advances... but are humans' consciousness and spirituality ready for it ?

If Universal ID were implemented... how should it be implemented ?

Imagine if the world want to have a universal ID code ... how should you go about making one. My personal approach would be to convert our DNA sequence into some sort of a code. There are 'A' , 'C' , 'G' , 'T' for the DNA sequence. These four letters can be used as it is to generate the code or it maybe represented by certain bits or bytes. When the full DNA has been converted into a list of ACGT or bytes or bits , some hash functions can be used to make the code more efficient. DNA is unique in everyone so if you want a convenient universal ID , a DNA saliva swap , encoding and hashing can be applied (the hashing and encoding should have only one style for ease) and you would get the person's universal ID.

I wouldn't encourage universal ID because it's going to hinder personal privacy and as you know , data leaks by hacking and bad softwares or espionage is so common... no data can be gauranteed safety and privacy ... and who knows what people might do to you with your ID known to them... I think universal ID is not a good idea .

This is an abstract thought on how to implement ... but I would discourage anyone trying to use my method above to use it for universal ID.

Disclaimer: If this method is somehow available before the date of publishing of this post, by no ways or means do I know anything. This is a thought that came to my mind rather than referencing someone's ideas.

Wednesday, March 5, 2008

Portrait of the Modern Terrorist as an Idiot

Read:

http://www.schneier.com/essay-174.html


An article written by the famous cryptographer and security expert, Bruce Shneier. I agree with this essay a lot.. incompetent terrorist , government and media .. as Schneier puts it. Why didn't anyone take into detailed consideration of the thick walled fuel tank and pipelines that have vault on them to stop oxygen and thus explosion ? Is someone trying to kick up a usual fuss again ?

An example of pettiness in the industry

Read:

http://games.slashdot.org/games/08/03/04/204255.shtml

Although I personally don't approve of MySpace or FaceBook or any networking sites where you put up too much of your personal data online( including birth date , age , gender , personal contacts ... etc) , the main focus is on the electronic Scrabbles game made by two Indian brothers.

It shows that those companies going against just two brothers ... only two brothers .. are willing to pool all the resources ... just to 'kill off' two person. Isn't this really too much ?

I personally feel that those companies should have worked with the two brothers ... to expand the influence of their games... rather than turn on the brothers. Why don't you use these two talents when they are standing right in front of you ? If you managed to get the help og these two brothers, you can create better versions of the Scrabulous and maybe a Scrabulous Pro version where some money is needed for some sort of subscription ?

It shows how petty these companies are.... these are not the only cases where patents are used so carelessly and without a second thought and so commonly misused... just to squeeze as much money out of the poor victims. If the victims were huge companies deliberately violating and making huge amount of profits for their very own use ... then maybe they need a squeeze... but these are two brothers who wrote the program for free...

Good work for the two brothers... this is the spirit of Free Software. Maybe you might want to seek the help of FSF if you get into any trouble (as long as your software is free and open source ... FSF would help defend you).

I think patent owners should really think twice before they use their patent rights ... because most patent cases.. according to my observation .. are carelessly and most often... misused.

By misusing patents rights, patents become a symbol of control... not freedom .. and thus generate more negative feelings towards it .

Sunday, March 2, 2008

How go is encyrpted email ?

Read:

http://lifehacker.com/software/encryption/how-to-encrypt-your-email-180878.php

This article teaches you how to setup encryption for the email client called Thunderbird. You can do encryption even for Gmail , Yahoo mail , Hotmail ...etc. You don't need an email client to do so and you can do it in a web-based email situation. All you need is a software to encrypt your message with your private key and generate a public key. Publish the public key somewhere.

Refering to the article's scenario, what Joe could have done to read Sam's emil to Jane is to suspect an encryption in the email because of the weird cryptic message. Using a search ... maybe via search engine like Google or other means of search to retrieve the public key.

With the public key , Joe could use it to decrypt the encrypted message. This is to assume that the public key is found. Another scenario is that Jane publish her public key by sending Sam in a previous message her public key. If Joe captured the message containing the public key... it's game over. The best way is for Jane to meet Sam personally to give him the public key or over the phone... by what if Joe somehow manages to eavesdrop on the phone call ?

Using Diffie Hellman for creating a shared secret key is going to be troublesome because a few values have to be actively exchanged between Jane and Sam before both get the secret key made.

Anyway , how safe is encrypted email ? Against people who have little will...it's definitely effective... but what if it's up against someone who is so willing to eavesdrop...have the people , have the resources ... have the time to do so ?