Imagine if you had to take your mouse and click at 10 particular spots in an image every time you wanted to unlock your screen at work. Doing this would take several more seconds at every sign on and would add up quickly. Often for systems that are used often keying in a password is still the fastest method.

Well Microsoft has developed a new solution. Instead of having password requirements that are visible to the user, like minimum length, they want to let users use anything as a password. Even simple passwords like “love” would be accepted. However there is a catch, only a small number of users will be allowed to use a particular password.

Complex password requirements were introduced to combat spraying and braying attacks. A spray and bray attack is when an attacker tries to use one particular password on a large number of accounts. This way bypassing lock out procedures. This solution by Microsoft will fix this by only allowing a small number of accounts to be compromised and thus reduce the benefits of the spray and pray attack while keeping passwords simple and easy to remember.

After a code review I often finding myself wondering was what was found worth my time and the reviewers time? Most of the code reviews that I have been apart of have had minor suggestions or more commonly code standards compliance problems. When you rummage through several hundred or a few thousand lines of code during a code review and all that is found is that you have a few extra blank lines or should change the name of a variable, it does seem like a bit of a wast.

I’m not saying that we should not care about those extra lines or any code standard for that matter. I’m a big fan of code standards, I think they help in the readability of code. I’m saying that there is a cost to code reviews, we have to weigh those costs against the rewards. When a reviewer only finds a few compliance issues, things that could be fixed by anyone that is reading through the code, it was not worth the time the reviewer spent reviewing.

So how do we make code reviews worth everyone’s time? Simple, we change the intent of a code review back to what the actual intent was. Code reviews are put into place to find bugs. Bugs that would show up to an end user or other developers that are trying to use the code.

You may say, “well Cory that is what every code reviewer is doing, they are looking for bugs.” However that is not true, sure they are looking for obvious bugs like unassigned variables being referenced, but they are not looking for deep bugs. One of the most common bugs comes from input validation, and yet it is a bug that is often over looked in code reviews. This is because it is often difficult to tell exactly where input to a function is coming from and how much it should be trusted. Detecting multi-level bugs requires a reviewer to see how the multiple levels interact and the path of the code in correct and error states. This kind of review takes a lot of time and drastically increases the complexity of a code review. The sharp increase is due to the fact that we are moving a code review from a mostly passive practice to a very active process.

Obviously code reviews could not detect all bugs and there will be times when a code review will not find any bugs. From this active process of a code review you get a new found level of confidence. Bug counts will be decrease and actual development should increase. This confidence is how a code review pay for themselves.

Thu Jul 08 23:05:33 2010 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=16]

route-method exe

route-delay 2

In this paper, we examine the security of open source software versus that of closed source software. Facets examined include a brief history of the growing need for security in software, a comparison of the different philosophies driving the development of security in open and closed source software, arguments for obscurity in closed source versus the “many eyeballs” theory in open source, and the pros and cons involved with both development processes. We also look at the two approaches in practice, focusing on competing software like Linux and Windows, OpenOffice.org and Microsoft Office, and Apache and Windows IIS Server. Finally, we examine the impacts on society from software security, as well as who is responsible for maintaining secure software.

You can find more, including download links, if you visit my Research section of this website.

Which is fine and dandy for certain projects and if it works it works. However, a recent article underscores a feeling I have had with this trend. What is wrong with MySQL? The recent move to NoSQL would make one wonder how did we ever manage to store this information in the past? I’d have to guess that over 99% of all projects are not large enough to every be concerned with scale issues. By scale issues I mean trying to store Google’s search information. MySQL or some other relational database back-end is being used by nearly every large cooperation in the world to store and manage tons of information.

Relational storage based solutions are still perfectly fine for nearly every project and they are often much easy to use. Be sure to think carefully before trying to decide which direction to head down.

The thing about most AI style problems is that we can solve them in a much easier ways without AI. Passing a 3rd grade exam could be done with advances in natural language processing and some clever Internet searching. It turns out to be very difficult to find ways to test AI. Even the famous Turing Test may not be as satisfactory as one might think. Its hard for a human to tell even if they are talking to another human even if they are, in fact, talking to another human.

The reason why it is so hard to identify another human during the Turing Test is because we don’t know what we expect from another human. It comes down to the fact that we have no idea what makes us human. Its nearly impossible to describe a humans intelligence and identify the intelligent parts. So it would be very difficult to quantify how an AI system is better than a human, let alone equal.

I think before we are able to make any true AI system we first need to figure out how the human mind works. Which is turning out to be much easier said than done. Every time we figure something out about the brain, it creates at least ten more questions about the brain. To put this problem in some sort of perspective: We had a theory of computation decades before the first computer hardware and we had predictive models of space centuries before we had the ability to test them. However we have the hardware to run our AI systems on, but no theory as to how to do it. So I think we are at least half a century away from having anything near what we dream AI to become.

I was looking at the ASCII Table the other day and came up with a simplistic method to swap the case of a given character. That is to exclusively-or the value of the character with 0×20. This will convert the upper case to lower and the lower to upper. Its probably the fastest method to swap ,CPUs can xor in one cycle (excluding memory load time). However you still need some type of conditions to make sure the character is actually a letter and not a number of symbol.

Enjoy!

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘????????????????’ at line 1

This is a common error when you first set up Java and MySQL to work together. To correct it simply add the following lines of code to your my.cnf in the section [mysqld]

collation_server=utf8_general_ci
character_set_server=utf8

#include “stdio.h”
#define M(Code) main(){FILE* fp = fopen(“source.c”, “w”);fprintf(fp,”#include \”stdio.h\”\n#define M(Code) %s\nM(%s)\n”,#Code,#Code);fclose(fp);}
M(main(){FILE* fp = fopen(“source.c”, “w”);fprintf(fp,”#include \”stdio.h\”\n#define M(Code) %s\nM(%s)\n”,#Code,#Code);fclose(fp);})

This is a pretty cute program if I can say so myself. When its ran it will create a file called source.c that will be exactly the same as the code above. You could even recompile source.c and it will create another source.c. You should attempt to do this on your own to see if you can come up with other cool ways of doing it.

Download: SelfRep.c