January 30, 2004

Info from Microsoft about the HTTP username support

Microsoft have now released an official Knowledge Base article about the removal of support for usernames in HTTP/HTTPS URL's. The great (yep, great, not just good) news is that this will indeed be done for HTTP and HTTPS only, and it will *not* affect FTP URL's, where this is indeed a useful feature every once in a while. The so-so news is that the support for HTTP will be removed altogether, not controlled by an option or anything, but then that's not really as big a problem as it might seem at first sight.

Posted by roam at 08:15 PM

MyDoom, SCO, and the effect on the Internet at large

A kinda funny article over at Netcraft - www.sco.com is a weapon of mass destruction. Although part of the purpose of the article seems to be fun, still it does bring up an interesting point: with the number of MyDoom-infected PC's out there, tomorrow may be a Bad Day for whatever IP address www.sco.com points at. And yes, it does use DNS to resolve the 'www.sco.com' hostname, at least according to the analysis summarized in the Trojan Horses Research digest of messages related to this virus.

Now.. how long before someone writes an Apache, Squid, or IDS module, which detects several HTTP GET requests for www.sco.com and blocks the sender, just in case? :)

Posted by roam at 04:28 PM

January 29, 2004

MPAA seeks P2P Enforcer for antipiracy ops

Reading this article from The Reg, I can't help but wonder if this job ad is some kind of a joke... I mean, it wouldn't be too hard for somebody to spoof the MPAA for the purposes of posting an ad, right? Okay, my knowledge of HotJobs is less than "next to nothing", but still this does indeed seem more than a bit suspicious, IMHO.

Posted by roam at 07:33 PM

Scientists discover a new form of matter

Earlier today, Slashdot mentioned an article over at Yahoo! News entitled Scientists Create New Form of Matter. Strictly speaking, I think 'discover' or 'synthesize' would be a better word than 'create' - after all, this state of matter has been possible (and possibly has been around) since forever. However, this does not make the article - and the discovery - any less interesting.

Posted by roam at 05:07 PM

Microsoft to remove support for usernames in http urls

There has been much talk in recent years about the security hazards of a deceiving practice that was little known outside the IT security communities: using the http://username@hostname/ syntax for an URL to fool the user into going to a unexpected website: just use a hostname in the username part, as in http://www.cnn.com@extelligence.ringlet.net/, and there are people who would really think they are going to the CNN site. This works even better if the real hostname is disguised as an IP address or some other weird representation, like binary or just URL-encoding. Recently, this has become more widely known, as several large-scale scamming operations used this technique to lure unsuspecting users to their own websites.

Now, NetCraft reports that Microsoft has decided to remove the support for username@hostname HTTP URL's from Internet Explorer. Some might see this as a deviation from standards; I personally see it as an unfortunately needed bandaid, which removes very, very rarely used functionality.

Somewhat to my surprise, I actually find that I am with Microsoft on this one, my rants about Outlook 2003's mishandling of Message-Id notwithstanding. There are just two things that bother me somewhat. It would be nice if they would not touch FTP URL's, since, much as I abhor using a browser as an FTP client (that's a subject for another rant, but it *will* be a vicious one), it is sometimes the easiest way. And the other thing - I wonder if the username@hostname support for HTTP could be made an option, off by default, not removed altogether. It may be very rarely used, but it still might come in handy once in a long while.

Posted by roam at 04:10 PM

Vlad Taltos - "Shut up, Loiosh!"

As part of the preparation for the Operating Systems university exam today (that's my version, and I'm stickin' to it! ;), I picked up a Bulgarian collection of three of Steven Brust's novels: Jhereg, Yendi, and Teckla. A wonderful fantasy series, maybe even a sword-and-sorcery classic! Naturally, a medieval setting, two races - humans (called "Easterners") and Dragaerans, which are very similar to humans, although not quite enough for all purposes. Vlad Taltos, a hired assassin, and his friend Loiosh, a jhereg - something like a bird, something like a dragon, something like a killer. Of course there is magic, and there is also a somewhat uncommon approach to life, death, and revival (there are those who sneer at Brust's use of the word 'revivification', but IMHO, it's a writer's privilege) - leading, in its own way, to a different attitude to giving and taking life.

After I finish "Yendi" and "Teckla", I might as well try to lay my hands on Brust's other works. Of course, this is all IMHO, and YMMV, but doesn't it always? :)

Update: the friend who gave me the book pointed out a stupid, stupid mistake - I had misspelled Vlad Taltos's last name. D'oh!

Posted by roam at 02:39 PM

Another argument for Message-Id

I missed a very important argument in my Outlook 2003 and Message-Id rant the other day; it was on my mind when I started writing the rant, but then it must have slipped through the cracks...

The fact that the usual way to form the Message-Id header discloses the sending machine's hostname is made almost irrelevant by the fact that there are very, very few SMTP servers which do not add a "Received" header containing the client's perceived IP address, the client's perceived DNS hostname, and the contents of the client's HELO command - which, with most SMTP clients, actually contains the client's hostname.

Here's an example:

Received: from actual-hostname-deleted (HELO straylight.m.ringlet.net) (actual-IP-address-deleted)
by gandalf.online.bg with SMTP; 28 Jan 2004 08:09:30 -0000

This was the first (technically, the last, since the SMTP servers further on in the chain had added theirs to the beginning of the message) "Received" header on a message that I recently sent to a public list. As you can see, my mail client (not Outlook 2003, but see below) honored the SMTP protocol by issuing a HELO command with the local machine's hostname - and it is plainly visible in the message headers.

A coworker fired off a quick test message using Outlook 2003 and, lo and behold, the SMTP server logged a Received header with the coworker's machine's name in it! So much for privacy, I guess :P

Note: please do not take this as a request for Microsoft to stop providing the machine's hostname in the HELO command, too! :)

Posted by roam at 02:06 PM

January 28, 2004

Learning Japanese

Japanese is one of the languages that I'd really, really like to learn some day. This funny article (via Neurotech) made me even more determined :)

Of course, the problem lies in the "some day" part of the above; Japanese is on the list, along with Latin, Italian, and a couple of languages that I'd really like to refresh my knowledge of, as in "actually learn a larger vocabulary and start reading".

Posted by roam at 01:26 PM

January 27, 2004

Outlook 2003's Message-Id insanity

So $REALJOB_COMPANY deploys a Windows-based intranet - Active Directory, Exchange, Web components, all that jazz. So far so good, except when a cow-orker asked about spam handling, the boss (who is actually a truly-non-PHB, and who actually engineered the new network infrastructure) replied that spam handling might be solved when we migrate to using MS Outlook 2003 and its spam filters, but... But, he said, Outlook 2003 had a slight problem: it could sometimes send out messages without including a Message-Id header! So we're waiting for Microsoft to fix that, and then we'll migrate.

I could scarcely believe that, so seconds after the meeting there I was, googling for Outlook 2003 Message-Id, and sure enough, there it was: on the first page of results, a news bulletin which, among others, states that Outlook 2003 only includes Message-ID's when sending e-mail through an Exchange server. What really got my goat, though, was the reason for omitting the Message-Id header: you see, users complained that their machine names were visible on the Internet!

<F/X: spanner in works, mind grinding to abrupt halt, head exploding>

I wonder how the rest of the Internet, including the users of previous versions of Outlook and Outlook Express, have managed to cope with this horrible invasion of privacy - encoding the hostname in the Message-Id header - for the past nigh on 20 years! Its use in the In-reply-to and/or References headers, its perfect suitablility for indexing/searching an archive for messages, and lots of other characteristics just leave me lost for words. And even if the actual hostname is not used in the header, there are many algorithms to generate a hash or something based on the hostname - which would still go a long way towards the purpose of the hopefully-globally-unique Message-Id value.

Okay, so Outlook 2003 is indeed technically RFC-compliant, since RFC 2822 section 3.6.4, "Identification fields", does indeed say a message SHOULD (not MUST) have a Message-Id - but it does use the verb SHOULD and not MAY. Also, RFC 2821 allows the first or last SMTP server in the chain to add a Message-Id if none is present, but there are still many RFC-compliant SMTP servers out there which do not do so, and the client has absolutely no guarantees that a message will get a Message-Id header - and IMHO, every message should have one.

Oh well... score another one for muddy thinking. The end result? Outlook 2003 currently generates scores of messages that may very well be considered spam by many popular spam filters out there - and for a very, very good reason, too.

Posted by roam at 03:54 PM

The Da Vinci Code - more fiction than it would appear?

It turns out a lot of people think that what Dan Brown presents as facts and history is, well, not really founded on fact as firmly as he'd have his readers believe. I guess I'll have to do some research on my own now...

To be honest, I did wonder at the way the book starts: there is a note named "Facts", which lists a couple of details about some of the events and organizations mentioned in the book. I wonder if this is actually the author's way of subtly suggesting that the rest of his writings may be opinions or simply fiction :)

Posted by roam at 12:26 PM

"...and the Lord caused the sea to go back..."

The Washington Times has an article on Russian scientists who claims to have explained the Biblical parting of the waters of the Red Sea, which allowed the Jews to leave Egypt, as related in the book of Exodus. Well, okay, the Washington Times was the first place I saw it - it is also covered by The St. Petersburg Times, and also in a couple of blogs.

If this turns out to be possible, the only question left would be, was it just a storm at the right time, or was it really the hand of $DEITY that brought it around just when the Jews were ready to leave?

Posted by roam at 12:09 PM

January 26, 2004

No breaks

Last night, Red Planet was on bTV, but Iva and I opted for something lighter - Welcome to the Jungle (also known as "The Rundown" to our American readers, I guess). A great action comedy! Sure, not much to remember it by, but it does at least have a plot, and also a couple of wonderful moments that had us roaring with laughter. IMHO, a good choice for a couple of hours of entertainment (but don't necessarily top it off by reading through the night).

Oh, and by the way - the "Mir" cinema is still one of the best in Sofia, even after the appearance of the Multiplex and Arena. Well, there is the distance factor - Mir is slightly closer to home than the Multiplex, and this seems to count on cold windy winter nights :)

Posted by roam at 09:42 AM

The Da Vinci Code

Last night I did something moderately stupid, which I hadn't done for months: picked up Dan Brown's The Da Vinci Code and finished it in one sitting, 11:30pm to 4:30am. The reviews on that official page may be a bit over the board, but it is indeed a good gripping thriller, packed with lots and lots of interesting facts or opinions of comparative religion, depending on which way you look at them. The title of the Bulgarian translation is "Kodyt na Leonardo", and it also happens to be a good translation, right down to the several pieces of verse, some of them crucial to the plot.

I also managed to solve a couple of the riddles almost immediately on seeing them - and even spooked Iva a bit when I got up at 2am, looking for a mirror :) The funny thing is, I woke up quite easily at 7:30am and am not feeling sleepy at all even now - but ask me again in an hour or three :P

Update: Read more about the Da Vinci Code in a later post.

Posted by roam at 09:03 AM

January 25, 2004

netsec sample research plans uploaded

Well, procrastination is a wonderful thing, but I finally finished the research topics and plans for the Network Security course.

Posted by roam at 03:10 PM

January 24, 2004

Half down, two and a half to go

As the title goes, today's written part of the Operating Systems exam came and went; four problems about shell scripting and C file I/O - what could be easier? :) Well, we'll see on the second, theoretical part of the exam, on the 29th. After that, the other two exams might take a bit more studying, but that's a thought for another day :) And then, there's the Design and Analysis of Computer Algorithms course, where a project is due for the end of February...

Just as I hoped, the exam ended early enough, so that I could see my sister off properly; she's now sent me an arrived-safe note from Frankfurt, and tomorrow she should leap over the Big Puddle. Then we'll see (or rather, she'll see, then tell us) how paranoid the immigration services of the Land of the Free really are.

On another note, some'd say that ten below (Centigrade) is too cold, especially when one does not dress properly, but let me tell you, for waking up in the morning, nothing beats a brisk walk in the snow, even while it is still piling up more and more. There is a Bulgarian phrase, "bjala prikazka", which would translate literally to something like "white fairy-tale", but refers to the beauty and calm of a nice quiet winter day, the ground and everything above it covered by the dazzlingly-white snow, all sound muffed, and the sun still shining... That's the way I felt today, and that's probably the way I'll feel for the rest of the winter - for it is my favorite season, though here, in Bulgaria, it does tend to get a bit on the cold side :)

Okay, that's enough rambling for today, now get thee to some dinner and then to finishing up the project plans for the Network Security course - to give the students some hints as to what we would expect to find in the written assignments that are due kinda soon.

Posted by roam at 07:59 PM

January 23, 2004

GSM operators

Ever since MobilTel, the first Bulgarian GSM operator, was established back in 1995, there has been an awful lot of badmouthing from all sides: complaints of bad customer service, high pricing, slow uptake of new technology, and so on. In the past year or two, some of thoes complains have also targeted GloBul, the second Bulgarian GSM operator. Well, some of those complains have had some merit, but IMHO, most of them could be placed in one of three classes:

  • Limited experience: people complain about things they see as "bad" in MobilTel's service and don't realize that some of those things are very, very hard to do for a mobile operator. Actually, I'd go out on a limb and say that MobilTel and GloBul have already done many things better than many other GSM operators worldwide.
  • Unrealistic expectations: there will always be a comparatively very small group of people with much technical knowledge and experience, who have heard about some cool new technology or service developed and possibly rolled out for testing by, say, Japanese mobile operators, and immediately start shouting and accusing our GSM operators of being slow on the uptake. The simple truth is, such hi-tech services usually have a very high cost of deployment and a very limited userbase. Thus, were a GSM operator to actually deploy them, it would have to either do it at a huge loss, or place a huge price on them, eliciting even more complaints and accusations.
  • And finally, envy: some might say this is typical of the Balkan peoples, I won't go that far. Still, it is hard to deny that it is a common human trait to look at someone who has made more or less of a success and immediately try to find a flaw or three or, failing that, just make up some mud to sling. Note that I do not consider all the accusations and complaints fabricated; as I said above, some of them do (or did) have merit. Some of the others, though... *shrug*.

And to give some substance to this so far purely abstract rant, let me at last come to the actual point :) The idea of writing this came up while discussing with a couple of friends an article from The Register yesterday: subscribers to the Orange mobile operator in the Netherlands can now choose a mobile number when signing up. The article highly praised Orange for this wonderful new service, to quote: "a luxury most European telcos do not offer yet to consumers". Even so, subscribers will be charged 100 EUR for picking a number.

So, the point: MobilTel has been offering this very service for a long, long time - I'm not sure if it was from the very beginning, but it has certainly been available for more than three years now, at the price of 30 BGN (a bit less than 15 EUR): Bulgarian and English version of the list of additional services.

And no, I don't think that this rant of mine will instill logic and reason into the badmouthers' minds and make them shut up :) I just needed to vent some steam.. or something :)

Note: some people who know me would realize that even though I neither work for MobilTel nor am a shareholder or anything, I am not completely impartial to them. Take this with a lump of salt if you will, but what I have written above is purely personal opinion, and as such may not reflect any definition of objective truth, be it according to the teachings of Plato, Socrates, Kant, Kubrik, or Eris. If you choose to gamble half your fortune based on predictions made by perusing this text, I will not be held responsible for the outcome, although, if you should win, a share of the prize would be nice :)

Posted by roam at 11:31 AM

January 22, 2004

Sleep helps? In other news, the sky is blue...

CBC news reports that sleep can help fuel artistic creativity and scientific insight. Apparently, students can think better and find alternative, faster ways to do things when they've rested.

Um. Excuse me, but... they needed a scientific experiment to prove this? Isn't it just common sense that the brain sometimes needs a rest, and sleep is one way to get it? I really, really don't get the point of that story - or maybe I just need a nap :)

Posted by roam at 06:39 PM

More SCO fun

Whee... According to The Register, NewsForge, Slashdot, and probably coverage in other places, too, SCO has sent a letter (or at least a draft) to the US Congress, asserting that the use of Linux in Europe and Asia is a direct threat to the US economy and, more or less, the US national security...

I just don't know what to say. Yep, a real loss of words. Read the articles, read the draft itself - it *does* have great entertainment value, if nothing else. The problem is, it might indeed have something else, too - it is written in exactly the glib manner that would appeal to a politicians, especially politicianс who dо not always have the time or staff to do the research necessary to expose this as the FUD it is. Yep, we might have a problem here - though I sure hope not.

Posted by roam at 11:07 AM

Still alive...

Well, well, well - it seems that I haven't been doing much writing here in quite some time, eh? It was quite a shock when, after adding a couple of links to the blog's index page, MovableType rebuilt the index page and did not show a single actual entry on it - then it turned out that there *were* no entries for the past 20 days, which was the default setting for how far back MT reaches for the indexes :)

Anyway, as noted in the title, I'm still alive and kickin' - even after all the holidays at the end of December and the beginning of January. And I don't know about you, but here in Bulgaria there seem to be an awful lot of those: not just the usual Christmas and New Year stuff, but all sorts of name days, too. Then there are the birthdays, which, according to any sane laws of probability, should be more or less uniformly scattered all over the year - but nooo, there just *had* to be a spike in January! Not that I'm complaining, mind :)

Still, it seems even this "extended holiday season" is drawing to an end - and not just because the final exams at the Sofia University are due to start this Saturday, January 24th... Yes, we do have exams on Saturdays, sometimes even on Sundays, and as luck would have it, I have an exam coming up on the 24th, the very day that my sister's flying to the US for the start of her spring semester. Well, it is an "Operating Systems" exam which should be relatively easy to handle, but still, it doesn't feel right...

Well, so much for today. Maybe I'll post more often in the future :) In the meantime, feel free to take a look at the blogs of Vasil Kolev, Georgi Chorbadhiyski and Boyan Krosnov, which I just added to the links section (hence the 20-day surprise mentioned above) - those are some of the guys whom I help torture the Sofia University's Faculty of Mathematics and Informations students with the Network Security course :)

Posted by roam at 10:37 AM
Valid XHTML 1.0!   Valid CSS!