Imagine if you had to take your mouse and click at 10 particular spots in an image every time you wanted to unlock your screen at work. Doing this would take several more seconds at every sign on and would add up quickly. Often for systems that are used often keying in a password is still the fastest method.

Well Microsoft has developed a new solution. Instead of having password requirements that are visible to the user, like minimum length, they want to let users use anything as a password. Even simple passwords like “love” would be accepted. However there is a catch, only a small number of users will be allowed to use a particular password.

Complex password requirements were introduced to combat spraying and braying attacks. A spray and bray attack is when an attacker tries to use one particular password on a large number of accounts. This way bypassing lock out procedures. This solution by Microsoft will fix this by only allowing a small number of accounts to be compromised and thus reduce the benefits of the spray and pray attack while keeping passwords simple and easy to remember.

After a code review I often finding myself wondering was what was found worth my time and the reviewers time? Most of the code reviews that I have been apart of have had minor suggestions or more commonly code standards compliance problems. When you rummage through several hundred or a few thousand lines of code during a code review and all that is found is that you have a few extra blank lines or should change the name of a variable, it does seem like a bit of a wast.

I’m not saying that we should not care about those extra lines or any code standard for that matter. I’m a big fan of code standards, I think they help in the readability of code. I’m saying that there is a cost to code reviews, we have to weigh those costs against the rewards. When a reviewer only finds a few compliance issues, things that could be fixed by anyone that is reading through the code, it was not worth the time the reviewer spent reviewing.

So how do we make code reviews worth everyone’s time? Simple, we change the intent of a code review back to what the actual intent was. Code reviews are put into place to find bugs. Bugs that would show up to an end user or other developers that are trying to use the code.

You may say, “well Cory that is what every code reviewer is doing, they are looking for bugs.” However that is not true, sure they are looking for obvious bugs like unassigned variables being referenced, but they are not looking for deep bugs. One of the most common bugs comes from input validation, and yet it is a bug that is often over looked in code reviews. This is because it is often difficult to tell exactly where input to a function is coming from and how much it should be trusted. Detecting multi-level bugs requires a reviewer to see how the multiple levels interact and the path of the code in correct and error states. This kind of review takes a lot of time and drastically increases the complexity of a code review. The sharp increase is due to the fact that we are moving a code review from a mostly passive practice to a very active process.

Obviously code reviews could not detect all bugs and there will be times when a code review will not find any bugs. From this active process of a code review you get a new found level of confidence. Bug counts will be decrease and actual development should increase. This confidence is how a code review pay for themselves.

Thu Jul 08 23:05:33 2010 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=16]

route-method exe

route-delay 2

Today I was working on allowing me to upload my applications onto my Nexus One so that I could test the software on a real device. Well I ran into an issue after following Google’s tutorial on how to do it located here. I run Ubuntu 10.04 on my main development machine and so I followed the instructs for how to do it for Linux. Well when I got to the end of the tutorial when it tells you to test your the setup with the following command:

adb devices

I got the following output:

List of devices attached

???????????? no permissions

SUBSYSTEM==”usb”, SYSFS{idVendor}==”18d1″, MODE=”0666″

sudo service udev reload

adb devices

List of devices attached

???????????????? device

In this paper, we examine the security of open source software versus that of closed source software. Facets examined include a brief history of the growing need for security in software, a comparison of the different philosophies driving the development of security in open and closed source software, arguments for obscurity in closed source versus the “many eyeballs” theory in open source, and the pros and cons involved with both development processes. We also look at the two approaches in practice, focusing on competing software like Linux and Windows, OpenOffice.org and Microsoft Office, and Apache and Windows IIS Server. Finally, we examine the impacts on society from software security, as well as who is responsible for maintaining secure software.

You can find more, including download links, if you visit my Research section of this website.

Which is fine and dandy for certain projects and if it works it works. However, a recent article underscores a feeling I have had with this trend. What is wrong with MySQL? The recent move to NoSQL would make one wonder how did we ever manage to store this information in the past? I’d have to guess that over 99% of all projects are not large enough to every be concerned with scale issues. By scale issues I mean trying to store Google’s search information. MySQL or some other relational database back-end is being used by nearly every large cooperation in the world to store and manage tons of information.

Relational storage based solutions are still perfectly fine for nearly every project and they are often much easy to use. Be sure to think carefully before trying to decide which direction to head down.

Robbers want to rob a house when they will have the greatest chance of not getting caught. That means they do not want anyone to be home. These articles point out that when you post your ware abouts online, you are informing robbers. They could use the information that you are not home to go to your house and rob it. The first assumption is that your address is freely available. After doing a quick check of my computer illiterate friends on Facebook, I didn’t find any with that information available. However, the robber could use your name and a phone book to look you up.

The other problem is robbers already have tons of ways to find people that are not home. Simply picking up a phone book and calling numbers in order and going to the houses that do not pick up. In fact the robber could get lucky and they home owner would have put a message on their voice mail saying they will be out of town. Robbers also know that nearly everyone works during the day. So they can simply go up to a house during the day and knock to see if someone answers the door.

If we look at someone who can guarantee is not home during a certain time, such as a news anchor who is live on air at a certain time each day. We do not see an increase in the likelihood of robber for news anchors versus the average person.

I’m not saying its perfectly fine to post your ware abouts online. I just want to point out that it is very doubtful it increases your likelihood of being robbed. I hope the smart people at the insurance companies actually look at some data and not just jump on the chance to charge more money.

The thing about most AI style problems is that we can solve them in a much easier ways without AI. Passing a 3rd grade exam could be done with advances in natural language processing and some clever Internet searching. It turns out to be very difficult to find ways to test AI. Even the famous Turing Test may not be as satisfactory as one might think. Its hard for a human to tell even if they are talking to another human even if they are, in fact, talking to another human.

The reason why it is so hard to identify another human during the Turing Test is because we don’t know what we expect from another human. It comes down to the fact that we have no idea what makes us human. Its nearly impossible to describe a humans intelligence and identify the intelligent parts. So it would be very difficult to quantify how an AI system is better than a human, let alone equal.

I think before we are able to make any true AI system we first need to figure out how the human mind works. Which is turning out to be much easier said than done. Every time we figure something out about the brain, it creates at least ten more questions about the brain. To put this problem in some sort of perspective: We had a theory of computation decades before the first computer hardware and we had predictive models of space centuries before we had the ability to test them. However we have the hardware to run our AI systems on, but no theory as to how to do it. So I think we are at least half a century away from having anything near what we dream AI to become.

I was looking at the ASCII Table the other day and came up with a simplistic method to swap the case of a given character. That is to exclusively-or the value of the character with 0×20. This will convert the upper case to lower and the lower to upper. Its probably the fastest method to swap ,CPUs can xor in one cycle (excluding memory load time). However you still need some type of conditions to make sure the character is actually a letter and not a number of symbol.

Enjoy!