Developed country..

I ran out of disk space, so I purchased a 500G external harddisk. This disk was big enough for a file server, so I purchased a second hand PC from my room mate (Laptop cant be kept permanently on). I needed a monitor for my PC(and of course I hate CRTs).. so I purchased a 22'' HD LCD monitor.. but all my room had was a futon so I got a table to keep the LCD on. This is where my story begins:

My roomate took me to a thrift store to get me a cheap second hand table(of course I was gonna pay.. he had the truck to lug the table).. the cheapest one was for $100. Across the street was an Office Max. I got a decent table for around $50, which along with a stupid 3 year warranty(on a stupid friggin table) and service tax cost me around $75.. thats not it. Apparently you have to assemble the table yourself in USA!! I got a bunch of weird looking plywoods, different types of screws and a manual to put it all together. The salesman (with shining teeth and a thumbs up) retorted that it should be a child play for a computer whiz like me(yes.. if you are an Indian with specs in Silicon Valley.. people assume that you have something to do with computers).

5 hours, one broken screw driver, a swollen arm and a million curse words later, the table was finally assembled.

Fours years ago when I needed a table in Bangalore, I just went to the market and picked up a Rs 75 table(completely assembled) and paid the auto rickhaw Rs 30 to deliver it to my place. Is it just me or have people really misunderstood the meaning of a developed and developing nation.

The Bitter truth

Anyone who knows me, knows that I used to loathe MBAs/Marketing guys (well Marketing ppl I didn't know). Yes.. I was prejudiced, sort of envious of their life and had a feeling of being hoodwinked everytime I dealt with them. I think it's time for me adapt to nature of the world rather than question it. So here's my open apology to all you MBAs out there..

I never was and probably never will be a glib, suave, sophisticated salesman. What one wants to be in life depends on his priorities..its a binary choice; either one aims to be highly creative or one aims to be extremely rich. There is no middle ground. Although your priorities can change over time. You cant be rich and creative.. and mind you the rich will mostly take the credit for the work done by the creatives.

I'll restrict my domain to engineering as a creative work as I can relate well to it. An engineer creates great product, a salesman sells "not so good" products but it sells better than the "great" product. You could call the salesman evil for selling a "not so good" product or you could call an engineer incompetent for not being able to sell his product. The truth is that it does not matter and is not going to change anytime in the future. The salesman will always be on the deck of the cruise sipping a martini while the engineer would be in the engine room doing a performance study of the isothermal combustion inside the turbine... you get my drift. And at the end of the day, when the engineer comes up with a new design for an efficient engine, the salesman takes most of the credit just by doing a presentation (and mind you.. does better than the engineer).

Lemme support my verbiage above with some examples:

• We all know Shah Jahan built Taj Mahal... who was the architect?
• Windows was built by Microsoft(most people assume its Bill Gates :P )... who designed it?
• Did you know who Ted Hoff is? (inventor of Microprocessors)
• Did you know who Per Brinch Hansen was? (Inventor of OS)

Unless you are a "fact geek".. you might not know the answer to any one of them... and you know what, these guys didn't care. They are necessary for the well being of human race. We should be thankful to each one of them.. from the one who made fire to the ones who are making laser propelled space crafts. We should also be thankful to the salesmen.. they are the ones who are bringing these products to the masses. How would the world now be if we didn't have a Bill Gates mass producing and selling PC softwares? Each product defines a milestone in technological evolution and there is no looking back (Think iPhone, iPODs etc).

In conclusion when a large corporation speaks to you (urges you to buy its product), the voice behind the loudspeaker is that of an engineer.. the loudspeaker itself is the salesperson. You need both of them to convey a message to 10+ billion people in the world.

So all the MBAs out there.. if I have ever judged you by your good looks, smooth talk, a balanced life and money, I realize that it was not your fault.. it was and is my choice. Accept my humble apologies...

Why do you need PGP?

Lets answer a more basic question first: Why do you need any security constructs like AntiVirus, firewall, IDS etc? Maybe because:

• You have secret/vital information to protect.
• The exploit/attack is so easy that any casual user can do it.. for fun.
  

On my laptop running Linux I don't have an antivirus, firewall or IDS.. I don't have any critical information on my laptop (the critical information is encrypted using my DNA sequence, scrambled using my iris pattern as seed, divided into blocks and stored on NSA servers :P), nor does it run continuously to give the attacker any time to conduct the attack... It's a different story altogether for workstations running 24x7. That said, why do I need PGP to encrypt/authenticate my mails then? It's not that I need to protect my mails from the public eye or even a passive listener.. come on, what can a person get by reading the emails I write to my friends and family!!.. The problem arises when he can write emails to my friends and family using my email ID.. and be undetected. The point of concern is how much easier it is to do so.. let me show you how:

PLEASE NOTE: Doing this is illegal in US and EU unless you own the email addresses you are using. Posing as a third party is considered Identity theft and is a criminal offense. I am using the email address that belongs to me and this demonstration is only for the educational purposes. I am not responsible for anything you might do with the information provided here.

• Cover your tracks: What better way to do that than tor+privoxy!! Since I will be using telnet for this exploit, I need a way to torrify telnet. torrify command does that but I was too lazy to figure out the syntax. I grabbed tor_aliases to do that. Its a small script that you add to your .bashrc , which automatically torrifies various net tools like telnet, scp etc.(Thanks t3rmin4t0r for pointing it out to me on #linux-india).
  
• Find the smtp server of the victim: I am going to send a mail to testingusage@gmail.com(again the ID belongs to me and I use it for testing purposes). Lets figure out which smtp server gmail uses..


sridhar@pico:~$ dig mx gmail.com
; <<>> DiG 9.3.4 <<>> mx gmail.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8033
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 7

;; QUESTION SECTION:
;gmail.com. IN MX

;; ANSWER SECTION:
gmail.com. 3534 IN MX 50 gsmtp183.google.com.
gmail.com. 3534 IN MX 5 gmail-smtp-in.l.google.com.
gmail.com. 3534 IN MX 10 alt1.gmail-smtp-in.l.google.com.
gmail.com. 3534 IN MX 10 alt2.gmail-smtp-in.l.google.com.
gmail.com. 3534 IN MX 50 gsmtp163.google.com.

;; ADDITIONAL SECTION:
gmail-smtp-in.l.google.com. 214 IN A 209.85.199.114
gmail-smtp-in.l.google.com. 214 IN A 209.85.199.27
alt1.gmail-smtp-in.l.google.com. 237 IN A 64.233.167.114
alt1.gmail-smtp-in.l.google.com. 237 IN A 64.233.167.27
alt2.gmail-smtp-in.l.google.com. 285 IN A 66.249.91.27
gsmtp163.google.com. 5883 IN A 64.233.163.27
gsmtp183.google.com. 4017 IN A 64.233.183.27

;; Query time: 64 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Jul 29 14:05:57 2007
;; MSG SIZE rcvd: 270



MX points to the servers that receives email. The numbers 50,5,10,10,50 you see are preference numbers. Lower the number, the higher the preference.. for us it means that we have higher probability of a successful attack. which implies that we will be using gmail-smtp-in.l.google.com.


• Speaking SMTP: The last step is to speak in SMTP to make the server to accept the mail. I am not going to teach you SMTP here. Check out RFC 821 for the details.
  
sridhar@pico:~/blog$ telnet gmail-smtp-in.l.google.com. 25
Resolving gmail-smtp-in.l.google.com. through tor... 209.85.129.27
Trying 209.85.129.27...
Connected to 209.85.129.27.
Escape character is '^]'.
220 mx.google.com ESMTP o11si2850482fkf
502 5.5.1 Unrecognized command o11si2850482fkf
helo
250 mx.google.com at your service
mail from: <testingusage@gmail.com>
250 2.1.0 OK
rcpt to: <testingusage@gmail.com>
250 2.1.5 OK
data
354 Go ahead
From: Someone <someone@someone.com>
Subject: Testing

I see the light!!

.
250 2.0.0 OK 1187318464 o11si2850482fkf
quit


Please do note that testingusage@gmail.com is my own ID, so no harm done. What have I just done? Sent an email to testingusage@gmail.com as someone@someone.com... I could have used any email address there and nothing will be traceable back to me. The following screenshot shows you the result:

As you can see that the message was marked as spam, that is because I did not create the mail properly and someone.com may be in its blacklist. It's fairly easy to fool those spam filters.

Infact the method just demonstrated is used alot by spammers.. just a bit more refined and automated. Nothing is stopping your mortal enemy from impersonating you and wreak a havoc in your life. Yes there are ways to detect a fake mail.. IP analysis, route it takes etc etc, but it all requires the receiver to be a paranoid geek. How many mails do you receive daily and how many times have you stopped to check the authenticity of the mail?

So what is the solution?.. PGP or it's free, open source implementation GPG(GNU Privacy Guard). There are millions of tutorials on the web so am not going to write another one here.

In a nutshell, it attaches a keyed hash to your mail. Since it uses DSA, only you posses the key to create the hash. All others users can only verify your hash using your public key (which has to be published on keyring servers e.g. http://pgp.mit.edu ). The email client takes care of the whole process so you don't have to do anything except the initial setup.

Is it fool proof? NO.. This will only stop casual attacks. The attacker may spoof your identity, create a public key with your credentials and ask the receiver to download his public key, so the receiver might consider your emails fake and the attacker's emails real, but of course this is not something your friend might do for fun.

Bottom line; if you are breaking up with someone on email, proposing someone or making a million dollar deal, use GPG to tell the receiver that it's really you :)
BTW my pgp key is this. That said I can always deny sending a mail which doesn't have my signature... which I might use to satisfy my evil ends ..Mwahahahaha.

PS: There are chances that the attack shown above might not work. This would happen if your IP is blacklisted.

Software piracy.. we need to re-evaluate our definition.

Let me throw away my "Ms Universe" stance and admit that I am a hypocrite. I want to get stuff for free but I want others to pay for the things/softwares I create/produce. Apparently there are a lot of people who think like me, a lot of them do not produce/create anything.. they basically want stuffs for free.. which leads to piracy.

First of all, we need to assert the true meaning of the word Pirate; basically a thief/burglar working mostly off-shore. What do you need to do to be a pirate? umm... kill few people, take their belongings and perhaps wear an eye patch (Arrrrr..). Now how did the word piracy come to mean a guy sharing his music/software while still retaining the original copy of the music/software, I'll never know. The word coined by the likes of MPAA and RIAA (perhaps one of them but am not sure) totally defaces the normal norms required for the existence of a society.

By this time most of you anti-piracy advocates would be yelling : THERE SHOULD BE A REWARD FOR INNOVATION. Sure.. there should be one, but creating something does not justify being greedy. Apple developed iPOD in 6 months and as of April 2007 has sold 100 million copies.. isn't that a big enough reward. Harry Potter and the deathly hallows was the most preordered book in history and J.K.Rowling is a millionaire.. isn't that a big enough reward. Yes they are loosing couple of million dollars.. am sorry that they wont be able to buy the unicorn and a gold coated private jet.

Software Pirates are not kleptomaniacs who just download anything off the internet... just the stuff they dont want to pay for. E.g I will never download 300 or watch it on the television.. but I wont pay $10 to watch You, Me and Dupree in a theater. Being a movie junkie, I cant resist seeing the movie either.

Digital piracy is here to stay. Why? Because reverse engineering is always easier than engineering and the people who crack the DRMs and torrent the files are much more smarter than the people who put the DRM in the first place. Its a cold war thats going on between the sofware geeks and the stuffy corporate marketing managers on a turf where the geeks have spent their whole life... it's not too difficult to predict the outcome with most of the major players shunning DRM and MPAA/RIAA. Also the American law forbids the export/import of any strongly encrypted software (i.e. can't be cracked by NSA).. which means that the technology is always going to be crackable.

Lets do the math now.
US population: 301,139,947
Broadband Access: 40,876,000
Lets restrict our calculation to movies. Percentage of illegal movie downloads= 20%
Note that I am just considering broadband users so have accordingly bumped up the percentage by a conservative estimate of 2% (the source mentions 18% total).
=>Total number of Americans downloading movies= 8,175,200 (the real number is actually 25 million).
Number of cases filed= 87
Probability of getting caught = 87/8,175,200=.000001

Need I say more!!

He became a legend..

Dr Per Brinch Hansen, my compiler design professor, Chief architect of RC4000 minicomputer(That had the first real OS), inventor of monitors, author of first concurrent programming language:Concurrent Pascal, author of the first book on OS, a voracious reader and a drop dead geek(in a good way.. although he always said that the word was coined by Stupid Americans to pick on smart people, including Americans.. so don't take it personally guys :), because it's difficult for a dumb guy to rise up to the level of a smart person) died on July 31, 2007. He was 68 and was diagnosed with cancer in June.

This was his last email to me that I'll cherish forever:

Dear Sridhar,
Thanks for your kind email of June 1. I am still recuperating after my hip surgery.
I am happy to hear that you found an interesting job in Santa Clara. Everybody should live in California while they are young.
Keep in touch!

Per Brinch Hansen

It's hard to imagine him gone, partly because I never considered him a mortal being. Although he was suffering from senile decay, he had a really overpowering personality and you could really see the halo of knowledge. Frankly, he was seen as a really eccentric person by many of my friends, but since I tend to be eccentric at times, I was totally comfortable with him (Probably for the same reason I chose supposedly the most difficult professors as my advisors in undergrads).

May his soul rest in peace. I wouldn't say that he died.. but became a legend. His legend will inspire many future generations of Computer Scientists/Engineers.