Rss

Archives for : computer

Dual Signatory Bank Accounts in a Digital Age


online_approval_diagram

Dual or multiple signatory bank account are a necessity for many businesses and organisations. In short, it means you require (normally) two people to withdraw money from an account. This is normally done via cheque.

The problem with this is cheques are so out dated! There’s a very easy way we could move into the electronic age for multiple signatory bank accounts. Use an approval system for electronic fund transfers. Today, when someone wants to transfer money from their bank account to another, they login to their Internet banking system and transfer the money. The same could be done for multiple-signatory accounts. One of the signatories logs in to the account and requests or initiates a transfer. This transfer doesn’t happen automatically of course. It requires another signatory to login and approve the transfer. How that other signatory finds out could be the job of the person who requests the transfer, or the system could send auto send an SMS to all the other signatories on the account (which could also help prevent two signatories making unauthorized withdrawals.)

Unfortunately, I don’t know of any bank in Australia does this. I would seriously consider moving the bank account for my organisation to that bank (providing they have a branch in the near vicinity and I can convince others that it’s a good idea.)

Are there any security concerns with this? Well, if a signatory has the password for someone else’s account, yes, however this is probably harder than forging someone’s signature (signatures aren’t checked that closely on most cheques under a certain value,) and still illegal. If there was a notification system for all signatories and mandatory waiting period (e.g. 12 hours) then it could certainly be more secure than a cheque.

Come on Australian banks – let’s enable people to completely ditch cheques!

Cloud Sync: Copy.com

6a00d8341c767353ef01901e5c26ab970b-500wi

Copy.com was recently posed to me as a good alternative to Dropbox, especailly given it has much better value for money. Dropbox costs $99/pa for 100GB and $199/pa for 200GB. Copy is $99/pa for 250GB and $199/pa for 500GB. Basically 2.5 times as much storage for the same price. It was pitched to me as matching Dropbox feature for feature, just better value. My Dropbox yearly subscription is expiring soon, so I signed up for a month of Copy to see how it goes.

I have about 91GB of stuff in Dropbox (out of about 130GB of storage – 100GB paid storage and 30GB in bonus referrals. I used mover.io to move everything from Dropbox to my Copy account. Mover gives 10GB of transfer free normally, however if you are transferring to or from a Copy account, it gives you unlimited transfer (which is good because it costs $1/GB for transfers.) Everything went well and I got my desktop computer synced with my new Copy account.

My impression of Copy is that it feels like an early version of Dropbox. This isn’t a problem, Copy hasn’t been around as long as Dropbox, so it isn’t surprising that Copy doesn’t feel as mature as Dropbox.

There are a few problems I’ve been facing though:

  • LAN Sync doesn’t work – it’s supposed to have it (see tweets below,) but it doesn’t work, and I’m not the only one with this problem.
  • It doesn’t work on my Uni firewall and I can’t seem to get the proxy working properly. This may be my fault or my uni’s fault, however with Dropbox at first it was easy to configure the proxy and it worked, but in the past year I haven’t even needed to configure a proxy for Dropbox to work at Uni.
  • Web interface isn’t as fully featured as it should be; for example, you can’t “undelete” a file from the web interface, only the desktop interface. This is opposite to what I would have expected.
  • It doesn’t preserve all the file attributes, such as date modified. Dropbox does do this, Copy doesn’t. I rely a fair amount on date modified attributes, and have done so with Dropbox for over 3 years.
  • The client got to up 1GB of RAM usage on my laptop. My laptop only has 4GB of RAM, I’m not sure what justification there is for a cloud sync client getting up to 1GB.


https://twitter.com/copyapp/status/381084858337869824
One of the things is I purchased my subscription on the premise that it had LAN sync, and it supposedly does have it, it just doesn’t work. In addition, whilst I hadn’t checked this, I expected it to preserve all the file attributes where possible. It may be difficult to do when supporting cross-platform, but it shouldn’t be that hard, and Dropbox certainly did do it.

At the moment I’m wondering whether or not I should renew my Dropbox subscription for another year (expires towards the end of the month) or just dive in with Copy and learn to live with the shortcomings of it but have significantly more storage (which I can certainly put to good use.) For example, the lack of LAN sync is something I can get over once my laptop has finished syncing, the problem is syncing 91GB can take some time. At least with my desktop I was able to leave it turned on with a reliable connection all day syncing, my laptop I don’t have that possibility.

Update 8/10/2013: It does seem to work at Uni, not sure why it didn’t the first time around!

Update 19/10/2013: I just upgraded to Windows 8.1 on my desktop and laptop and LAN sync started working – my laptops now all synced! This also means other problems such as client using a lot of RAM may not be an issue anymore, so I’ll keep an eye on that. I’ve got around preserving file attributes – that may have been a problem with mover.io rather than Copy.

A Week with IE: It’s not the browser we love to hate

Pretty much everyone in the tech industry loves to hate Internet Explorer, unless their pay cheque comes from Redmond. Most of the dislike for IE stems from version 6, the version that wouldn’t go away. It was good at first, but very quickly newer and better browsers came a long, with features such as tabbed browsing and download managers that very quickly made IE6 look dated. From this, most people who actually know what a web browser is tend to hate IE.

I figured, it’s been 3 versions since IE6. Surely it can’t have gotten worse? I thought I’d give IE9 a try and see how it went. I am putting my geek cred on the line for this test, so I hope it’s worth it.

The Good

Believe it or not, there is reason for a “good” section.

  • It no longer sucks. I guess the fact that this is a “good” feature means that it’s not off to a good start, but it’s true, it definitely doesn’t suck as much as IE6 did. If it did, I would have found myself crawling back to chrome within half an hour… or I would have thrown the compute across the room.
  • It integrates well with Windows 7. This is something that no other browser can do well. You can drag the icon for a particular website onto the taskbar and have the ultimate shortcut. For supported websites (such as Facebook,) that icon will even come with jump lists to go directly to places like your News Feed, Messages and Events. It also has all the tabs displayed when you hover over the icon, rather than just each individual window. Depending how many tabs/windows you have open, this can be annoying, but in most cases it works well.
  • Colour coded tabs. When you open multiple links from the one page, and any link from those pages, they’re all colour coded the same colour. It’s hard to explain, but next time you use IE9 and find yourself opening heaps of tabs, take note of the colour of those tabs. Really great for tab junkies (like me.)
  • It’s quite stable. No matter how fast Chrome is, it did crash more than I would have liked. The only crash I’ve had with IE is related to Flash, which won’t really be around much longer anyway.
  • It has features like Incognito mode (that I don’t really have a use for) and speed dial for frequently visited websites that we see in all modern browsers (either native or through extensions,) and also has in built a nice “Accellerator” feature. You can select a portion of text and perform actions with it, such as email it to someone, perform a web search or post it on a blog. It takes a little while to get used to, but it works well.

The Bad

There are a few minor annoyances that may not be noticeable to some, but is noticeable to me, and I’m sure would be noticeable to at least some other people besides me.

  • Each tab is treated as a different application when it comes to changing keyboard layouts. This isn’t going to be noticeable to the majority of the world, since not that many people (at least those who only speak one language) would use two (or more) keyboard layouts. I do use 2 keyboard layouts. Normally what happens when you change keyboard layouts, that layout now affects the entire application you are using, but not other applications. With IE, when I change layout, it only affects the tab that I’m on. It could be a feature, but I can’t imagine many people wanting different keyboard layouts for different tabs… different applications I can understand (and have grown used to,) but different tabs? Please Microsoft, fix this.
  • Extensions. I can’t really criticise Microsoft for the lack of extensions, they aren’t the ones who are meant to make them. That said, extensions have to be installed just like any other Windows application, using one of many installation wizards available. You also need to restart IE for most extensions to work properly. I don’t know what the development environment is like for extensions, but I feel Microsoft should definitely work on both the development side of things and the installation side of things. Maybe a centralised website with an in browser installer would be good.
  • Still lacks basic features such as spell checking and bookmark syncing. These feaures are really good in Chrome.
  • The popup blocker isn’t really that good. Don’t get me wrong, it does block popups, just too many popups. If I have the popup settings too relaxed, popups that I don’t want (that is, ads) still get through in many cases. If I up the settings, it literally blocks everything, even ones that I do want (such as when I click on a link.) Maybe because I’ve been using Chrome for so long I’ve permanently allowed all the websites that I ever had problems with. IE does allow you to allow popups from a domain, either temporarily or permanently, but to do so requires you to reload the page, which in some cases doesn’t always work properly.

Summary

Remember those days that you used to try and beg your parents and friends to ditch Internet Explorer because, well, let’s be honest, it sucked? That’s no longer necessary. If a friend or relative is using IE (let me clarify: version 9 at least) and they aren’t having any problems with it, let them be.

That said, many power users may not like it. Lack of extensions and advanced features I know many will not be able to live without. So far I have, and plan to, stick with IE for as long as I can as apart of this experiment, but there just may be too much that advanced users can’t live without. For those people, of course use Chrome or Firefox or whatever you want.

With the improvement in web standards that have been demonstrated with IE10 preview releases, I finally feel that IE will be a browser that is no longer deserving of the reputation that it has for such a long time received, in most cases rightfully so.

Databases: How to securely store sensitive information

One problem that many people have is figuring out the best way to store sensitive information that needs to be retrievable, such as credit card numbers, securely in a database? The solution for passwords is simple: hash (and salt) them. That’s fine, because you don’t ever need to retrieve a password, the user has to input it and you compare the hashes. For credit card information, doing something like that would be, well, absolutely pointless, since it would defeat the purpose of actually storing the credit card information in the database.

How it’s already done

It’s already possible, to some extent, to encrypt credit card information. You could use some private/public key pair someway, or you could just encrypt everything with the same symmetric key. The problem with this is, the private key or encryption key needs to be stored somewhere, and the web server needs to be able to access it. So it may work if your database and web servers are different and your database server gets compromised, but if your web server gets compromised as well (remembering that many smaller websites will use the same server as the web server and database server,) then it’s pretty pointless.

Is there a way that the web server can decrypt it without having any human interaction (e.g. to type in the encryption key) except for the customer? I believe there is.

Alternate Way

So I got to thinking, how could this possibly work? Then I thought of this: take 2 hashes of the password (with 2 different salts,) then use one to store in the database for log in purposes, and then use the other one as a symmetric key for sensitive information and store it in a cookie.

It would go something like this:

  • Password = P
  • Salt1 = S1
  • Salt2 = S2
  • Hash1 = Hash(P & S1)
  • Hash2 = Hash(P & S2)
  • Hash1 and Hash2 are both generated when a user logs in.
  • Hash1 is stored in database, and is used to compare log in.
  • Hash2 is stored in a cookie on the user machine and accessed when needed.
  • Credit Card Info = CC
  • Secure Credit Card Info = Encrypt[Key: Hash2] (CC)
  • Store secure credit card info in the database.

Down Sides

There are of course down sides.

  • It’s extra work to have to do, in that you need to generate an extra hash each time the user logs in.
  • It won’t work  they forget their password. You can use a good password recovery method, but then they’ll need to re-enter all the information you have encrypted.
  • Cookies aren’t necessarily the most secure method of storing info, but at the same time someone would have to compromise your web server and database server whilst that user was logged in to be able to access their cookies, or manage to get into the customers system (but if that happens, it’s not your problem.) Also, make sure your web server doesn’t store a cache of cookies somewhere, or store them in a log file. That would also defeat the purpose (well, it would still make it harder for a hacker to figure out, but once they do it’s all gone.)
  • You won’t be able to do subscription payments, since the customer will need to be logged in to do it. I personally think this could be good, as I don’t like companies automatically charging my credit card, a solution would be for them to email me and have me login to approve each payment.

Also remember, do everything over HTTPs! There’s no excuse to not do everything over HTTPs these days. You should also never rely on the encryption to store data securely, rather you should focus on preventing data getting into the wrong hands… encryption is for if your database does get compromised, you can minimise the damage done.

Android: SQLite Database Upgrade

Note: I haven’t edited this since writing it, or fully tested the code that I present (that said, it’s heavily based on one of my apps, it’s just I’ve reduced the number of tables being made.) I will update the tutorial later on when I get a chance.

There are quite a few tutorials out on the web of how to make a SQLite database within an Android application, but not so many that deal with proper upgrading of the database.

Over time the requirements of the database within your application may change, this is almost inevitable if your application is in active development and you’re constantly adding new features. Properly upgrading the database in your app is important, because if something goes wrong your application will have unexpected behaviour (such as crashing) or you may loose all your user data and have to start over.

Version 1 of your database
If you have followed one of the numerous tutorials online on how to setup a SQLite database in your app, you most likely have some form of DatabaseHelper class that extends SQLiteOpenHelper. It may look something like this:

package com.example.sampledb;

import android.content.Context;
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteOpenHelper;

import java.text.SimpleDateFormat;

public class DbHelper extends SQLiteOpenHelper
{
    private static final String DATABASE_NAME = "mysampledb";
    private static final int DATABASE_VERSION = 1;

    private static final String DATABASE_CREATE_SAMPLE_TABLE = "CREATE TABLE tblSample" +
        "(" +
        "   _id integer primary key autoincrement," +
        "   name varchar(32)" +
        ");";

    public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss.SSSS";
    public static final SimpleDateFormat SIMPLE_DATE_FORMAT = new SimpleDateFormat(DATE_FORMAT);

    public DbHelper(Context context)
    {
        super(context, DATABASE_NAME, null, DATABASE_VERSION);
    }

    @Override
    public void onCreate(SQLiteDatabase database)
    {
        database.execSQL(DATABASE_CREATE_SAMPLE_TABLE);
    }

    @Override
    public void onUpgrade(SQLiteDatabase db, int oldVersion, int newVersion)
    {
        // Do nothing for now
    }
}

Each time it is called, it will check to see if this database and version already exist. If the database doesn’t exist, it will create the database by calling onCreate(), and it will store the database name and version number with it. If it does exist, but the version of the current version is lower than what is defined in DATABASE_VERSION, the onUpgrade() method will be called.

Version 2 of your database
The question is, what is the best way to handle an upgrade? I had a think about the way it worked, and I decided the best way would be to loop through all the different versions and apply the required changes.

Let’s say you wanted to add a field to “tblSample” called “address”? The new statement to create the database table would look like:

CREATE TABLE tblSample
(
    _id integer primary key autoincrement,
    name varchar(32),
    address varchar(128)
);

Which you will obviously what you want to change your “DATABASE_CREATE_SAMPLE_TABLE” variable to, since you want all new creations of the database to be up to date. You also want to use the onUpgarade method(). The way I have implemented the onUpgrade method is as follows.

package com.example.sampledb;

import android.content.Context;
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteOpenHelper;

import java.text.SimpleDateFormat;

public class DbHelper extends SQLiteOpenHelper
{
    private static final String DATABASE_NAME = "mysampledb";
    private static final int DATABASE_VERSION = 2;

    private static final String DATABASE_CREATE_SAMPLE_TABLE = "CREATE TABLE tblSample" +
        "(" +
        "   _id integer primary key autoincrement," +
        "   name varchar(32)," +
        "   address varchar(128)" +
        ");";

    public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss.SSSS";
    public static final SimpleDateFormat SIMPLE_DATE_FORMAT = new SimpleDateFormat(DATE_FORMAT);

    public DbHelper(Context context)
    {
        super(context, DATABASE_NAME, null, DATABASE_VERSION);
    }

    @Override
    public void onCreate(SQLiteDatabase database)
    {
        database.execSQL(DATABASE_CREATE_SAMPLE_TABLE);
    }

    @Override
    public void onUpgrade(SQLiteDatabase db, int oldVersion, int newVersion)
    {
        for (int i = oldVersion; i < newVersion; i++)
        {
            switch(i)
            {
                case 1:
                    db.execSQL("ALTER TABLE tblSample ADD address varchar(128)");
                    break;
            }
        }
    }
}

How will this work? Well, quite well from what I’ve found, since it will work for any upgrade… if you always use this method, it will work for upgrading from version 1 to 9, or from version 4 to 5. Basically, it will loop through all the previous versions starting at the current version.

So, if my phone is on version 1, and the app needs to upgrade to version 2, this loop will iterate one time, with the value of “i = 1.” The switch case statement should, for each version number, execute the required statements to upgrade from that version to the next. So, in this case, “case 1:” will execute the required statements to upgrade from version 1 to version 2.

Potential Problems
The biggest problem that you may face is if your “fresh” database creation statements get out of sync with all the update statements. What should always be the case is, if you start with version 1, and run all the update statements to get it to the newest version, the schema of the database that has been upgraded should match exactly the schema of the database if it were created from the newest version.

In short, the best way around it is only make small changes to your database at a time, and make sure you apply the changes to both the creation statements and the update statements such that they match. I would also suggest always using string literals in the update statements rather than refer to any variables. This would definitely be the case if you need to create a new table. It would be tempting to just refer to the DATABASE_CREATE_NAME_TABLE variable in the upgrade section, but remember that this variable should be creating the newest version of the database, and in your upgrade statement, you need to be aiming to move to the version after what is specified in the case statement. So whilst it will work at first, when you change that table, it may mess up.

A potential solution
One potential solution I have thought of that may work is to keep the create table statements the same such as they were in version 1. Then, when you create a fresh database in the onCreate method, you create all the tables as they were in version 1, you call the onUpgrade method with the variables (database, 1, DATABASE_VERSION). It would look something like the following:

package com.example.sampledb;

import android.content.Context;
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteOpenHelper;

import java.text.SimpleDateFormat;

public class DbHelper extends SQLiteOpenHelper
{
    private static final String DATABASE_NAME = "mysampledb";
    private static final int DATABASE_VERSION = 2;

    private static final String DATABASE_CREATE_SAMPLE_TABLE = "CREATE TABLE tblSample" +
        "(" +
        "   _id integer primary key autoincrement," +
        "   name varchar(32)" +
        ");";

    public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss.SSSS";
    public static final SimpleDateFormat SIMPLE_DATE_FORMAT = new SimpleDateFormat(DATE_FORMAT);

    public DbHelper(Context context)
    {
        super(context, DATABASE_NAME, null, DATABASE_VERSION);
    }

    @Override
    public void onCreate(SQLiteDatabase database)
    {
        database.execSQL(DATABASE_CREATE_SAMPLE_TABLE);
        onUpgrade(database, 1, DATABASE_VERSION);

    }

    @Override
    public void onUpgrade(SQLiteDatabase db, int oldVersion, int newVersion)
    {
        for (int i = oldVersion; i < newVersion; i++)
        {
            switch(i)
            {
                case 1:
                    db.execSQL("ALTER TABLE tblSample ADD address varchar(128)");
                    break;
            }
        }
    }
}

I haven’t tried this, and I don’t think it’s the best way to go. If it does work, it would reduce the potential of a miss match between the same version if it were created fresh or upgraded, since it’s just creating the first version and upgrading it to the newest version.

The main problem with this I think is that it doesn’t force you to think about the structure of your database, and could easily turn you into a lazy programmer (like having a catch clause that doesn’t do anything.) The other problem I can see is that it’s hard to see at a glance the structure of your database in the newest version, since you will need to process all the upgrade statements to see what it really looks like.

It’s your choice. This way should work, and will pretty much eliminate any possibility of a miss match between a fresh and upgraded database, but at the same time you lose the ability to see the structure of your database, and it has the potential to make you lazy.

XKCD password: are longer passwords really that much better?

Source: XKCD

Source: XKCD

One of my favourite webcomics, XKCD, posted a comic regarding password strength, and how its better to use a long, but easy to remember password, over a shorter but more complicated password. I find that Randall (the author of XKCD) generally does some good research on all the concepts that he writes comics on, and I find that I agree with most of them, though this one particularly took my interest. Whilst I don’t disagree that longer passwords are going to be more secure against traditional brute force attacks, I want to look further into how much better having a longer password is.

Issue 1: Entry of the password
Mobile devices these days are more popular than ever, and its going to continue to increase. People are constantly asked for their password, and have to constantly type it in. Whilst the password “correcthorsebatterystaple” (the example used in the comic,) may be easy to remember, it’s also long to type it. If you have a different password for every website you use (which is a good idea,) people are going to find it hard to justifying typing in a 25+ character password for every website they visit.

Issue 2: Brute force isn’t really the main way to get passwords
Yes, the method used in the comic would make it very secure against a traditional brute force attack. That said, I suspect that brute force attacks are not really successfully used that much beyond dictionary attacks or passwords equal to or longer than 8 characters. There are other methods such as key loggers, malware, system vulnerability and social engineering (I have seen first hand someone emailing their username and password to their email account in response to a phishing email they received.) These methods can generally result in more passwords being discovered for the same amount of effort (if the goal is just to harvest passwords and isn’t targeted.) The length of a password doesn’t matter in instances like this.

Issue 3: Most online systems won’t allow passwords that long
OK, so this is more of a reason of why it’s not practicable rather than why it doesn’t really make a difference, but in short, quite a lot of online websites have a limited on the number of characters for a password. This isn’t a problem with the user though, I think that online systems should all allow for at least 32 character passwords.

Issue 4: Other security measures will/should kick in
Any website with good security measures should have a system in place that will bar login attempts for a particular account after a set number of unsuccessful attempts. In the case of having a long password because it makes it harder to brute force, a system like this would make that argument void. Any website that doesn’t have a system like this in place probably isn’t one that I’d want to have my personal details with.

Exceptions
There are exceptions where using passwords that the comic suggests would actually make an actual difference: encryption. This is because if someone has an encrypted file, it’s a lot easier to do brute force because the only limitation is the speed of your computer… you can’t be locked out of an account after any number of unsuccessful attempts, you don’t have to wait for the server to respond, and so on and so forth. In fact, TrueCrypt recommends having a password of at least 20 characters.

Conclusion
I am all for having a good password for every website you visit, but having a long one may not make that much difference for many online sites.

Back to Ubuntu (sort of)

It’s been a good 2 to 3 years since I’ve used Ubuntu as a full time OS (for about 2 years it was the only OS I used.) I didn’t install it on my desktop PC when I first got it as, Windows could do everything Ubuntu could do, and it was a gaming PC, so I more or less needed to put Windows on it.

Since I’ve found myself doing more and more developing on my computer, and Uni work (which for some subjects needed a Unix based machine!) I thought, why not try Ubuntu on my desktop again? There’s no way I’m getting rid of Windows (I paid too much for this graphics card just to have it do nice Compiz effects in Ubuntu!) but I have reverted to a nice dual boot setup.


All I can say is: wow! Where have I been? I suppose, all the new features that come about slowly through releases I have missed, because I haven’t really been keeping up to date with Ubuntu. On top of that, I’ve installed 11.04, and that’s probably the biggest deviation for a long time with the Unity interface.

Granted, I still haven’t got dual screen’s setup yet (actually, I’ve never tried Ubuntu with dual screens,) I’m just waiting for some downloads to finish before I go ahead and restart my computer after installing the AMD restricted drivers. Hopefully it won’t be too much trouble. (Edit: It wasn’t! AMD Catalyst took care of dual screen with no problems) The only other problem I’ve had so far is I can only get sound when I have my headphones plugged into the front port, I can’t get it out of the speakers when they are plugged in the back. (Edit: It’s a bit embarrasing, the volume was turned down on the physical speakers. Worked without a problem) I suppose this is something that I can fix, but it’s definitely no where near as much trouble as I, and many other people, have experienced with Ubuntu in the past.

So whilst I plan to keep Windows on my computer (as mentioned, graphics card cost too much, and I’ve invested a lot of money into Steam games,) I think I’ll use Ubuntu for any Uni work or development related tasks that don’t involve .NET (which I’m slowly moving away from, ever since the future of the Mono project was put into uncertantity. One of the reasons I was happy to develop for .NET was that Mono would mean it was almost as versitile as, say, Java)

So, I’m back. At least for a bit. Hopefully I can keep it up.

IntelliJ IDEA Java IDE: Second Impressions

Edit: Just bought it. It is that good after a few days of use.

I have already given my unfavourable first impressions of IntelliJ IDEA, but I was forced to continue editing the post with an apology (the errors that were created were my fault) and another edit saying that I actually found it to be really good.

I decided I’ll give it another go (on my desktop, as the trial on my laptop has pretty much expired… or will expire in a few days, and my desktop has a lot more screen real estate, so is a much better developing environment.) Any all I can say, is if you look past the interface (it doesn’t blend into Windows too well, but you sort of get used to it,) all I can say is wow. Eclipse, I’m leaving you.

It’s true, IntelliJ does have everything. It is absolutely amazing, especially the static analysis tools that it offers. What are some of the absolutely amazing features I’ve noticed? Well, for one, the static analysis tool. Not only does it detect potential problems in your code, it can go ahead and fix them, without any problems at all! And how good are these static analysis tools? Well, I have a for loop. I could have used a for each loop, but didn’t because I was too lazy. IntelliJ suggested I use a for each loop, and actually went ahead (with my approval of course) and changed it to a for each loop, without breaking any code! Or maybe the small, but nice thing, when I was developing a reg-ex in another program, it automatically put a ‘\’ in front of every quote that needed it. I could quite literary paste the string and not have to change it at all.

I have barely scratched the surface and I’m already loving it. I don’t think I could use Eclipse again, unless it all of a sudden got really better or I don’t have a choice (e.g. in a work environment.)

So, this isn’t a review, but just a correction to say my first impressions weren’t correct. I’m definitely going to buy it when I get the funds together.

Better security on Windows 7

Continuing my theme of setting up my new laptop that I blogged about the other day, a few thoughts came to mind when thinking of how to best protect it from a security standpoint.

First thing that I thought of is theft. I actually have lost a laptop before (granted, I was a bit careless,) so the thought of been able to track down a missing laptop does sound appealing. The laptop I got supports LoJack for Laptops in the BIOS, and as far as I can see, it is the best solution. Whilst I haven’t got it yet (it’s proving difficult to get in Australia,) I do plan on getting a subscription.

The second thing that I thought of, and is related to the first point, is the security of my data. Whilst I am only a Uni student, I’d still rather people don’t go through my stuff. So, what I eventually decided to do was create a TrueCrypt volume that get’s mounted when I logon, and move my Dropbox to that volume. You need to do a few things to get this to work properly (including make sure Dropbox doesn’t launch before the volume is mounted.) Lifehacker has a nice guide on how to do this.

After I added the encryption, I decided to actually remove my Windows password. Why? Well, I’ve already got one password protecting my data, which is a lot better than Windows password anyway (which can be removed with a bit of know how, so it’s pretty pointless,) and it allows others to use my computer without me been present. Why is this a good thing? Well, if it does get stolen, LoJack relies on it been connected to the Internet to find out where it is, having the encryption password is the best of both worlds: it’s easier for potential thieves to access the Internet (which increases my chances of getting the laptop back,) and it protects my data a million times better than Windows could ever hope for (also important to note: I don’t save passwords, or stay logged in, in my browser, I use KeePass or that, which is encrypted too, so I’m not worried about them getting into m account). So, I’m pretty much keeping my software install to an absolute minimum, just a web browser, Office, and any other small, but useful things that I need to function.

Though this method doesn’t come without problems. The problem that I can see with letting people login is that it’s one less barrier to, say, installing a key logger on my computer and getting my encryption password. (As that’s all the Windows password really is, just another barrier that makes it more annoying, rather than actually secure.) The problem I can see with auto mounting TrueCrypt volume is it will be mounted when you wake your computer up from sleep (not sure about hibernation, but I presume it’s the same, I normally use sleep.) This means that, if your computer is lost whilst it’s sleeping, your data is vulnerable even more, because there’s nothing protecting it. As for a solution to the first issue: only let people you trust use your computer, and regularly scan it for malware. As for the second issue, for now I’m shutting down my computer (a bit inconvenient, but with minimal software installed, it’s not too bad,) and I’m looking into a way to demount it when it sleeps (though I doubt there’s time to run an action when it sleeps: the second best is to run a script when it wakes up, which isn’t as secure, but still better than nothing.)

UNIX Programming in C: Using fork(), exit() and wait()

Today I had a tutorial task due, and part of it involved using the fork() command to create a child process, wait() for it in the parent, and exit() the child process when necessary, and pass a value back to the parent process.

I thought to myself that this would be pretty easy, all I needed to do was pass a pointer to the wait() function, and when exit() is called from the child, the value passed to exit would be passed to the pointer I specified in the wait() function. Turns out I was close, but not quite. Whilst I’m sure it exists, I didn’t find much material online, I actually had to find the answer in my text book (who does THAT these days?)


A sample of what I was trying to do is:

wrong.c

#include
#include
#include


int child();


main()
{
int fork_result , result;

fork_result = fork();

// If this is true, it’s the child process
if ( !fork_result )
exit ( child() );

// If it gets to here, it’s the parent process
// Wait for the child process to end, and put the
// result in the variable result
wait ( &result );

printf ( “Result from the child: %d\n”, result ); // Should be 5
}


int child()
{
// Run the child process here
sleep ( 10 );
return 5;
}

Pretty much, what we want this program to do is wait 10 seconds and then print out:

Result from the child: 5

Unfortunately, that’s not what we get. It does wait 10 seconds, but the result is:

Result from child: 1280

What could it possibly be? At first I thought that it’d be the PID, but it remains consistent. On my computer, that number is always the one that is output. Where does it come from? How can I get the result I expected?

The answers simple, but annoying. The integer contains more than just the result that we wanted to pass back. Let’s have a look at in binary to see if we can see where 5 is.

1280(dec) = 0000010100000000(bin)

This is “supposed” to contain extra information in the first 8 bits (remember, you start counting form the right, so the “first” bit is the far right), apparently it doesn’t in this case though. So, where do the number 5 come in? Well, it starts at the 8th bit from the left. Below I have highlighted the starting position in bold:

1280(dec) = 0000010100000000(bin)

As it would turn out, 101(bin) is 5(dec). So, how do we extract? We could mask the bit’s and use a bitwise AND operator, or we can simply shift the bits 8 to the right. Doing this will shaft the far 8 bits on the right hand side off, and make the 8th bit the 1st bit. It will turn it into

0000000000000101(bin)

Which happens to be 5(dec), which is exactly what we want!

So, how do we do this in C? Just put the following code in before you want to use the result (even better, put it in just after you obtain the result)

result = result >> 8;

(If you want to get other information from result, you may not want to put it back in itself. Make another variable so you can keep result to extract other information later on if needed. If you don’t, then I don’t see any problem doing this)

So, our code will look something like this:

right.c

#include
#include
#include


int child();


main()
{
int fork_result , result;

fork_result = fork();

// If this is true, it’s the child process
if ( !fork_result )
exit ( child() );

// If it gets to here, it’s the parent process
// Wait for the child process to end, and put the
// result in the variable result
wait ( &result );

// Get the result code
result = result >> 8;

printf ( “Result from the child: %d\n”, result ); // Should be 5
}


int child()
{
// Run the child process here
sleep ( 10 );
return 5;
}

What does it output after 10 seconds? You guessed it:

Result from the child: 5

This is what we want.

If you are interested in finding out what the other bits mean (you know, the first 8 bits,) I would highly recommended reading “Understanding Unix/Linux Programing: A Guide to Theory and Practice” by Bruce Molay. One of the best textbooks I’ve used in my course. The specific page with this code on it is 270, though reading the whole chapter to make sense of it all is probably advisable.