Ancient and Modern (aka “Digital Printouts” and Writing Secure Systems)

Ancient and Modern (aka

Digital Printouts.
I often find it funny to use the old reflex camera with films, but I mostly use it as if it was a digital one: I make many shots, some are good some are bad – I don’t bother printing them, I just let it develop and I scan the pictures I like from the film (several ones are even posted here this way).
I have even been talking about this with fellow flickerer’s:…

On the opposite, it often happens that I want to print some photos made with the digital camera. So I take them to the shop on the Compact Flash, or more often on a USB pen drive.

Today, tough, something strange happened: the machine they use to print digital photos (some very big professional system for printing on photographic paper with a proprietary application which manages it) hanged while it was trying to load this one photo which was on the USB pendrive.

The guy at the shop got panicked: he said a week earlier a guy got the machine infected with a Virus through his USB pen, and he had to stop working for three days, spend a lot of money to get the system reinstalled…

I tried to tell him to close the application but he did not even get what I was talking about. He was saying that the system was not responsive… I was pretty sure the system WAS responsive, it was just the APPLICATION which was hanging, and since it looked like an NT-based system I tried to guide him through CTRL+ALT+DEL, to start “Task Manager”, kill the application (this whole procedure took several minutes, and I had to show him which keys I was talking about as he was abel to find “ALT” but he had never hear of CTRL, left alone “DEL”). It was a Windows2000 Professional… so I wondered how did he logged in if he did not know that key combination….. I asked how did he get in when he started the machine…. “it opens automatically” he said. I see. I though it must be configured for autologon then. After killing the application he asked “how do I get out of this now??” “This” being Windows Explorer… I mean, the desktop. I pulled out my USB pendrive he was afraid of, I helped him reboot. He was nervous and he said it took much longer than normal to start up (I don’t believe ONE word of it, it just took much less time than my laptop with Vista takes to start up… but he was worried and that makes one anxious and makes time flow slower). He was afraid and nervous that the “thing” could have been broken somehow by trying to load a JPEG…
NOTHING made him confident about me: I tried to reassure him I am an IT Professional, that I work for Microsoft (unfortunately I did not have my business cards with me today, that would have probably helped!), that I put my hands on much more complex and “missioncritical” systems, that I would not bring him any virus whatsoever and I am paranoid about computer security…
Nothing. Nothing worked to re-assure him that there wasn’t anything to worry about my pen…

While the machine started I saw it doing AutoAdminLogon with Administrator… with a password of TWO characters.
Oh my god!
Then he wonders that he gets viruses from strangers. He runs as Administrator all the time!!!

But then I though and asked… “is there maybe a LIMIT on the SIZE of the file?”. “Of course there is!”.

Since the photo I wanted to print is actually a composition made of two photos pasted together, and each of the original was a 8 Megapixel photo, the resulting is a 16 Megapixel picture, a JPG file of roughly 8 megabytes in size. Well, this days it isn’t much anyway. We nearly have cameras which produce files with that high resolution…
..but if THAT application has a limit… WHY on earth doesn’t it CHECK for the bloody SIZE of the file BEFORE trying to load it ?

I mean, those are professional systems which – he said – cost around 150 THOUSAND of Euros… which they let run with an application which does NOT do any input checking/validation, runs the whole time as Administrator… while letting people bring in their own CD-ROMs, USB pens, flash memory cards….
and they expect it to be safe?

Now the guy was panicked and wouldn’t let me plug my pen in the machine again.

Then he’s keeping his shop closed in the afternoon since it is saturday, and I need that photo (and other ones) printed for tomorrow, because tomorrow it is my grandad’s 91st birthday and I wanted to bring them printed for him and framed as a present!

Morale: I have to find another place to print them in the afternoon, in a rush, because some company sells print systems which are written like crap, which need to run as Administrator and won’t do any input validation in their code. This is one of those situations where a design flaw matters.

Google has pissed me off this week!

Now I pretty much liked GMail and Google in general. But this time they REALLY pissed me off! I will tell you that I am not a google-hater even if I work for a competing company. Of course not everything that Google does is wonderful, but some of their services are really cool and useful and I have never denied to say they rocked when I felt they did.
In general, people seem to love them, and their stock value shows it (with the launch of “Code Search” this week they made a lot of people scream “how cool is this” so that they got back from just under 400 dollars to 417!). But that’s not the issue. That is cool, that works. It’s ok they make money if they make cool tools. It’s fine for me.

In fact i consider GMail as being one of the best interface for reading mail that exist out there – I love “tagging” (oops: it’s called “labelling” in their syntax), speed of search through messages (even tough Outlook 2007 is faster on indexed content, but still you have to buy it and install it on your PC)… I also especially love the way it shows THREADING… so that I moved pretty much EVERY mailing list I read on their account:

Ma come se fa ?
(ok, they could do better with the localized version of “Re:” in replies…. in Italian a lot of broken MUA’s translate that into “R:” and that isn’t understood by GMail and will make it think it is another thread…. but that’s a minor issue, and also one that every MUA handling threading has – including “mutt” – the real problem is the broken MUAs sending the “R:” in the first place. But I digress too much….).

I also keep GMail continuosly opened in a browser during the day because a lot of informative mail and that sent by friends goes there. This to say that I do get a lot of their ads (that is – the point of having such an application, for them…). On the contrary, Windows Live Mail reduced its ads to show only one… not to annoy you too much.
But the ads in GMail were not *really* a problem (I don’t read them anyway, I just plain IGNORE THEM).

But this week they REALLY pissed me off. They REALLY have. And here is the reason:
I have been using a script for MONTHS to backup my database (the one powering THIS blog) and send it “off-site” to my GMail mailbox. Pretty much something like a lot of other people do, described in various articles and blog posts. Then I was labelling them with a rule, so that I could access my backups easily in case I needed them.

Now I don’t know if this violates their terms of use in any way… because I am not really using it as storage with those programs that circulated at one stage that had “reverse engineered” it. Those were bypassing the web interface altogether so people did use it as storage with a program without having to see their ads. That was the issue, I think. In my case, I am just sending MAILS to myself. One per day. I also delete the old ones every now and then, and they are not even huge in sized (attachments of 40 to 50KB so far!!)… anyway, I know a lot of people that store documents and all sort of stuff even in their corporate mailboxes in Outlook (then maybe index them with Windows Desktop Search of Google Desktop to find it back)… I was only doing the same with GMail. I don’t see the big issue here….. they might think otherwise…. but from what happens I don’t think that’s the issue.

Anyway, now it’s been three or four days that my backup mail gets rejected. My SMTP Server gets told:

host[] said:
550-5.7.1 Our system has detected an unusual amount of unsolicited
550-5.7.1 mail originating from your IP address. To protect our
550-5.7.1 users from spam, mail sent from your IP address has been
550-5.7.1 rejected. Please visit
550-5.7.1 to review
550 5.7.1 our Bulk Email Senders Guidelines.

Now for fuck’s sake. You know how much I hate SPAMMERS and what I would like to do with them. But I also know that it does happen to end up in RBLs and such sometimes. Fine. But GIVE ME a way to tell you that I am NOT one! If you go to the link above, all you find is a form where you can specify that mail that ended up in your “junk” folder actually wasn’t spam. Yeah, right. In my case it does not even go into my “junk” folder! How am I supposed to give me the original header that arrived to THEM if I only have the one sent by my mailserver ? They just blacklisted my mail server’s IP Address! As they say, I even have an SPF record, I always use the same address, etc….
So I tried to fill in the form, the day after I also tried to contact their and addresses.
Still nothing.
They even tell you (in the automated reply when you contact “abuse”:
“[…] For privacy and security reasons, we may not reveal the final outcome of an abuse case to the person who reported it. […]”.
How great. How am I supposed to know if they even READ my complaint ?

You anti-spam people at GMail: “I am NOT a fucking spammer!!!!!”. I ‘haven’t found a better way to tell ya this, you know, than writing it on my blog… this is just RIDICULOUS!

But to date my mails still get dropped. I’ll probably have to send my backups somewhere else. At this point they pissed me off so much that I am also seriously considering getting back to use my own mailserver also for receiving and reading my mailing lists. Then I won’t get ads there.
(I hope you have some dutch guy on board at Google, as “Google Translate” does not translate from/to dutch yet…. )

Edited on October, 8th – While GMail REJECTS those mails (it SAYS it is not accepting them), Hotmail simply DROPS them (that is: it does not even SAY it is not accepting them):

to=,[], delay=3, status=sent (250 <> Queued mail for delivery)

This way you THINK it is going to be delivered, but it NEVER shows up in your inbox. I don’t know who’s behaving the worst…

The theater of terrorism

“[…] not giving the terrorists extended ovations for their performances is an important part of the solution. […]”
So writes Adam. Right. I agree completely.
In fact I am not scared, I am never been scared, and to be honest I am REALLY annoyed by the security measures – in airports and elsewhere. I think THAT is actually more “theatre” than the attacks themselves….

At the end of September I’ll have to go to England for work. Not being able anymore to carry a hand luggage, I think I will have to leave my camera home. I cannot afford to get that stolen or broken by sending it as luggage. I’ll have finished paying that in 2008… you can imagine I am worried…

I am actually tempted to show up in this T-Shirt to be honest…

How programs can teach each other

This article shows an intersting (interesting because it is simple but effective!) approach to train SpamAssassing Bayesian spam filter by leveraging the training data in Thunderbird bayesian filter. Basically you can use a program to teach another program how to work better!
This paradigm is cool!

Much ado about Files Screening in R2

File Screening in Windows 2003 R2 can be circumvented, but this isn’t that terrible, IMHO, and I’ll explain you why.
You might be wondering what the heack am I talking about. I am referring to what’s written in this blog post (an old one) that I spotted only today. Here the author is referring to a MS Blog also mentioning a post about the fact that file screening in R2 can be circumvented.

Yes it can be circumvented, BUT… there are seveal “but”s I can say; In fact, I have been presenting Windows 2003 R2 to several customers and I got asked this question several times, and I usually explain this in the following way:

first, it would be too heavy of a performance hit to get and check the real “nature” of a file, rather than just its file name.
Also: how would you technically do that ? Checking some headers in the file ? In this case you would need to mantain a database of known file types, keeping it up to date as new versions of that file format appear…
and then what about executables which have been passed through a “packer”
(one of those utility that effectively shrinks them while mantaining them executable) ?
What about encrypted files ? What about… ?? It just doesn’t plain work. Just like many other signature-based detection mechanisms (Antivirus or IDS). Or at least, to KEEP working needs to be constantly updated (or be useless).

The file screening thing is not meant to be impossible to circumvent, rather is a way of saying to the user that he/she’s not allowed to place that content there, to get notified about that, to get this information TRACKED somewhere possibly….
Of course this can be circumvented. But is not going to be very practicle, especially when your users are USERS and are restricted so that they can’t associate new extention to be opened from within their media player as you are suggesting….

Moreover, file screeing is just ONE of many features of the component called “File Server Resource Manager” in Windows 2003 R2. Those features are meant to be used altogether: So, for example, while a user COULD circumvent the restriction and copy “.mp3” files by calling them “.xyz”, but then with the useful reporting an admin would very easily spot them by looking at those directory that strangely contain a lot of “.xyz” files that happen to be roughly 5MB in size (all of them)…
In the same way by using the reporting feature you could see those huge “.doc” files are actually divx by looking at the “large files” report – how many pages would you have written to get that Word document up to 700MB ?? It can’t be the usual letter Mary writes, it looks a lot more like the size of Encarta… something is then fishy about it.

You get what I mean ? It won’t block the user ALL the times, but it will still drastically reduce the user abilty to waste our space, and if implemented with the proper controls and procedures and preocesses (think ITIL) in place, this can still be a valuable tool.

(I also posted this answer as a comment on the above-mentioned blog).

Old and new demonstrations, War keeps sucking

Peace Demonstration in Amsterdam - 15th february 2003

It was already more than three years ago and they are still fighting.
I can remember it well, the start of this Iraq war, because they attacked on the 20th of March – that is my bday.

The photo is of the huge demonstration that was held in Amsterdam. Actually it was kept in a lot of countries, and they were all huge.
Still they did not listen, they went further, and fought this war anyway, regarless of people’s will. It’s always time to remember.

I get this old memories, also to say that tomorrow it is “Festa della Repubblica” in Italy, and in Rome they want to carry on this idiotic military parade they have been doing for some years now.

But there’s also a counter-demonstraion of people that dislike the military forces and that want PEACE.
Guess which demonstration will be more colourful and HAPPY ?

I’ll try to get there tomorrow and take some photos too. But I am not sure I’ll make it…. my kid has got a basket match first that he cares about. So I’ll go there, and then I’ll try to go to Rome, park *somehow* *somwehere* (it will be madhouse) and catch the “Peace-Parade” that will be already started of course…..

Trackback Spam

Oh I hate spammers, you know ? In fact I’ve also got this goal I would like to mark as “done”….
…but that’s more for laughing than to be serious, really.

Coming to comment spam, I’ve been dealing quite a lot with the old ‘b2’ (WordPress’s progenitor) at one stage, while I could not be asked to upgrade yet. At one stage I’d even coded my own unofficial fix for it to keep it going and mantain my sanity…

Then with WordPress I’ve enabled a CAPTCHA plugin which takes care of robots and only lets HUMANS place comments.

But now it’s the turn of trackback spamming….
Sure, a lot of people have seen it AGES before me, simply because people DO read THEIR blog more than mine….
In a way, this might mean this is starting to be read – gosh! Who makes you read this ? Are you really THAT bored to get to read me?

Anyway, here’s a couple of useful links proposing approaches to tackle comment and trackback spam. They might be useful to you too:

Also now, I could get some of those plug-ins…. probably. For now I don’t have time to test the plug-ins, so I’ve just hacked my own fix, see if it does. Probably I will have to ‘touch’ it again, as I might have broken the trackback feature altogether. Well, it will pretty much test itself. Spammers, where are you now ? I’m watching my logs, please try….

[edited: 20th May 2006 – Ok they did send trackbacks tonight and my fix did work :-)]

Java… oh Java… (aka “High vs. Low level languages rant”)

I said here (and someone else said that too) that “Java is the new cobol”.
When saying so, I mentioned that En3pY hates Java, here it is another post by him written after I forwarded him this Joel Article (which I read from Scoble, in turn).

All in all, in this case, I tend to partially agree on some points but slightly disagree on others with Joel.

In fact, while I do acknowledge the need of “hardcore” developers to fix and build lower level things and mantain current code (and know WHAT they are doing), there are also many cases where coding in a high level language which abstracts complexity IS actually more efficient and cost effective, not having to reinvent the wheel every time.
So there are a lot of useful and nice programs written by people who DO KNOW what happens under the hood (as good in C as in Assembler), that for simplicity and flexibility run in sandboxes, high level languages, even interpreted ones! An example is Dave Aitel’s CANVAS, written in Python. But that’s just an example.

But I do agree with En3pY that I don’t like Java myself, and I consider it being too “heavy”, in general.
Solution on my side, tough, is that you don’t need C or assembler to get cleaner, smaller, more efficient code, you just need better languages. An example of this is a situation I have been involved in some time ago: in that case a colleague (that works with a very large customer who has a very large exchange deployment) needed to do some performance testing of this Exchange system. He had done the testing from some Windows IMAP clients, but the customer also wanted to see the same performance values measured from a Linux box accessing the same exchange via the very same IMAP protocol.
So I wrote a nice and sweet Ruby script – and at the same time another colleague developer a similar application (in Java).
Result: 45 kilobytes of .JAR to do the same things I did in 20 lines of Ruby (20 lines – including comments!).

On this website we use first or third-party tools that store small files (cookie) on your device. Cookies are normally used to allow the site to run properly (technical cookies), to generate navigation usage reports (statistics cookies) and to suitable advertise our services/products (profiling cookies). We can directly use technical cookies, but you have the right to choose whether or not to enable statistical and profiling cookies. Enabling these cookies, you help us to offer you a better experience. Cookie and Privacy policy