Wednesday, December 30, 2009

Security by denial

Recently I've stumbled upon the following news Cellphone Encryption Code Is Divulged. Look at the great authorities response:

The G.S.M. Association, the industry group based in London that devised the algorithm and represents wireless companies, called Mr. Nohl’s efforts illegal and said they overstated the security threat to wireless calls.

“This is theoretically possible but practically unlikely,” said Claire Cranton, an association spokeswoman. She said no one else had broken the code since its adoption. “What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.”

This looks like a classic sample of Security by denial to me. I should feel relieved knowing that this kind of research is illegal in several countries and that we know only one person that managed to break this encryption. Sigh!

A question to the reader: Do you think it is a good practice for some countries to make illegal the efforts to break those kinds of encryption?

I believe this leads to false sense of security and give advantage to those, who do not hesitate to break the law over those who do obey it. It also leaves all of us, who uses this technology every day, in the dark.

Old story: funny bug in Windows 9x/ME

It's been a while since I've last posted here, but today I'm in a blogging mood and decided to share an old story. It happened around the year of 2002 or 2003 I don't remember exactly.

I was working together with Georgi Georgiev on a small program called "Visual ISO" (can be found on my site). We've found a serious bug. After the user quits the program ALL windows icons (those on desktop, start menu, windows explorer etc.) disappear. I've started to search for the problem. Several hours and a dozen restarts later I've finally found it. It appears that when you get the System icon list handle with Win32 API call - you could successfully call the corresponding API method to FREE IT! This worked on Windows 9x/ME but did not work on Windows NT and above. You have no idea how fast Windows becomes, when there are no icons to display!

Being a good network citizen I've created a small program to reproduce the problem and decided to contact Microsoft about it. However this appeared to be a problem. No contact info could be found on their site. I did several web searches, but still no luck. So I contacted a person known as a security expert, to help me. He replied he is using "security@microsoft.com". I wrote an e-mail with something like: "I've found a problem in Windows API, but I don't think it is security related. Please point me to non security related e-mail". I've got a kind automated reply and the waiting began. More than a month later I've got a reply from some support center in Germany stating something like: "If you have problems programming please contact ...."

... and that's how the problem was never reported ...

That was my story :) and here is my proof of concept code (not tested lately, it's a miracle I've found it at all)


#include <windows.h>
#include <shellapi.h>

int APIENTRY WinMain(HINSTANCE hinst, HINSTANCE hinstPrev, LPSTR lpCmdLine, int nCmdShow)
{
SHFILEINFO shFinfo;
HIMAGELIST hImgList = (HIMAGELIST)SHGetFileInfo("", 0, &shFinfo, sizeof(shFinfo),
SHGFI_ICON | SHGFI_SMALLICON | SHGFI_SYSICONINDEX);
if (NULL == hImgList)
MessageBox(NULL, "Cannot retrieve the Handle of SystemImageList!",
"Error", MB_OK | MB_ICONSTOP);
else {
if (ImageList_Destroy(hImgList))
MessageBox(NULL, "SystemImageList destroyed!", "Success", MB_OK | MB_ICONINFORMATION);
else
MessageBox(NULL, "Cannot destroy SystemImageList!", "Error", MB_OK | MB_ICONSTOP);
}
return 0;
}

Monday, June 15, 2009

Concept: Corner and side click in desktop environments

There is functionality I always use when working with my desktop. I use them so often, I consider them granted. If the OS takes them away in the next version, I won't be upgrading until I have them back (one way or another).

Example of such a feature is when I throw the mouse in the upper right corner and click to close the current maximized application without aiming at the cross icon there. This feature got me thinking - "why don't we use this 'throw cursor at the end of the screen and click' functionality in other places too?". To illustrate my point I'll show a simple idea. It's about removing the "Start" button (or the "K" button in KDE) and use the space there for something more beneficial.

Here is what we have now (in Windows XP):
But why do we need a button taking so much space just to say "Start" or "K"? Here is how a new version might look:

Note the barely visible green triangle in the lower left corner. This is where you need to click to open the start menu. Even if you are new to this desktop environment, it should not take you more than 2-3 minutes to learn and remember where it is. The benefit is that this way you have more space for your task bar and when you need the start menu just throw the mouse pointer to the lower left corner and click.

This was just an illustration of this concept. It is not limited just to corners or to single click. Here are some more examples:
  • Single click in the upper left corner starts your favorite application
  • Single click somewhere in the first upper screen line (where your mouse stops) minimizes the current application
  • Single click to the lower right corner (where the clock is) does "Show desktop". I have this as a proof of concept application!
  • Double click somewhere in the most left screen column starts another application
All those are examples of the 'throw mouse cursor and click' concept. The click is important, because it eliminates the nagging of things showing by themselves when all you wanted is to remove the cursor from your desktop.

Note about my concepts: You are free to use the ideas represented in my concepts as you like as long as you don't present them as yours. Keep in mind that though those are my ideas, I don't claim (and did not checked), that someone else didn't come with the same ideas first. If you decide to use some of the concept ideas presented here, it's up to you to check for prior art, patents and so on.

Sunday, January 11, 2009

Announcing: Diamond SensorScroll

This Christmas I gave myself a new HTC Touch Diamond as a present. To be honest I made the present a month earlier, but who needs patience when it comes to hi tech gadgets?

I played around with it and found some missing features. The most obvious for me was, the phone has a great sensor control which is used only by several HTC applications and Opera (custom version made for HTC). I decided to fix this and that's how I met Windows Mobile 6.1.

I spent some time in research and writing simple test applications and found, that though it is "Mobile", it is "Windows" only around 50% (the other 50% came from the Microsoft's marketing department I guess). Don't get me wrong here. It doesn't mean I don't like it. It's just quite different from PC Windows. API is same - but not quite, internal architecture is totally different and this left useless almost half of my Win32 API knowledge. After a month of research and a week of codding I finally brought my idea to life.

Announcing: Diamond SensorScroll
This is my latest free application. There are several things that happen for the first time because of it.
  • It is my first application running on Windows Mobile.
  • It is my first application published first outside my site and then on it.
  • It is my first application, about which people wrote comments and blog posts just hours after the initial release (on 1.1.2009).
All of this happened because I stepped into the great community of the http://forum.xda-developers.com/ site! The guys there got me unprepared! All I expected was several downloads and some bug reports. Unstead I got many thanks, Near a 1000 downloads in first 10 days (I released 3 bugfixing versions in that time and the application doesn't have a 1000 users just yet). Greatly described bug reports with aditional analysis what went wrong. More thanks. Cool feature ideas. Links to blog posts for "spreading the word". Idea to add donations link. And more! All this, made me feel really happy to be part of this community. THANK YOU GUYS!

Now you know why the primary site for Diamond SensorScroll is http://forum.xda-developers.com/showthread.php?t=466377 :)

Have fun!

P.S. The picture you see in this post is from another blog post. I liked it, asked the author, and got a permission to use it from now on. I hope this illustrates my point one more time :)