In today's world, and specially for a person who uses Internet a lot (you are one of them if you are reading this blog), it is often a very difficult task to remember and manage passwords and PIN codes. Everybody recommends that you set a unique password and memorize it. Well, it is not humanly possible to set different and difficult passwords and remember them all. Humans cannot program their brain cells to behave like a hash-table of <website <username, passwords>>. But we a strong in built neural network.

There are numerous articles on the Internet that would suggest best practices. Follow them and add some creativity into it. They are definitely useful.

Read Password Management Best Practices by MTECH Identity Management.

Today I will discuss those practices that I have learned over the years and those that I can follow.

The first very three very important attributes of passwords to bear in mind:
1. The strength of the password in itself.
2. The mode of travel of the password over the network to reach the server.
3. The format in which the password is stored in the server.

Most people ignore the second and the third point.

Case 1:
Imagine a very strong password like "TsxW&^347F2" which is strong in itself, but stored in plain text on the server.

Case 2:
Imagine a very strong password like "TsxW&^347F2" which is stored encrypted on the server but it is transferred in plain text over the network.

Case 3:
Imagine a server which accepts only encrypted traffic, stored the password with a one way encryption but the password chosen by the user is "flower". Shame! Shame!

All the above cases leads to compromise of your password. All the three factors should be fool-proof.

However, as a user you don't have any control over the way the passwords are stored at the server (problem 1).

You may not also have control over the way the password is transferred over the wire(problem 2).

You do have control over choosing a strong password, but very difficult to remember so many strong passwords with their corresponding user name. (problem 3).

You also need to choose a user name which is unique. Every time you enter a user name, it says its taken and you end up having so many user names for so many website.(problem 4).You wish your parents had given you a name that does not show up in Google search. Curse not your parents before you manage to give your child one such name and he/she does not hate you.

The way I address these problems may not be 100% save, but I know that it is pretty good from what I have learned while working as a developer for a Software Security company.

One idea is to use the same password everywhere so that you can remember, but not before creating a set of such passwords for categories of sites. I give one password for every category and use the same password (but with a pinch of salt).

The categories:
1. For websites which if compromised, can cause huge monetary loss. This includes your online bank accounts, credit cards, e-commerce websites. All of them use secure communication channel and we can reasonably assume that they store passwords securely.

You need to choose a very hard password, that is very difficult to crack. Something like "TxW&^7F2" and one which you can remember. Optionally you can add another character or number to it based on which site it is for. Example: TxW&^7F2paypal for your paypal account. This becomes the pinch of salt. Consider this postfix as your home grown crytographic salt. Get innovate, derive a salt and dont tell you friends about your salty logic.

2. For websites which if compromised, cant cause monetary loss but can damage your identity in the e-world, can cause grave non-monetary losses and potential monetary losses too. This includes your email websites, your bill-paying sites, your office and home computer and networks, etc. These sites may secured or may not be. They never send your passwords via email, but send a link back to you to reset your password.

You need another set of password which is in NO WAY lined to "TxW&^7F2". Hackers know that Home sapiens have the tendency of keep the same passwords. Keep something different. Keep a similar passwords for secure websites like https://google.com or your office NT domain.(or maybe keep the office away coz your superior may suddenly call you in the middle of the night and ask you your password). Be sure not to use the same password for non-trusted sites. The ability to add a innovative salt into this category practically depends on your personality. I dont.

3. Those sites that your don't care even if you loose your password. Its just that they need a user name and password to use their service. They even send back your old password via email if you request it. Its for sure they are not storing it securely.

For this keep a crap password, the complexity of which depends on your own capacity to remember, but never the same password which you have used for the other two categories.

OK, by now you have so many passwords and user names. If you use a formula it is easy to remember, but we all know its easy talking and blogging then remembering. There will be a site that does not take that special character.There is one website where I just had to use a weird user name and there is another one which generated a user name for me.

We also generally end up remembering passwords we often use daily and our magic formula formula probably works, but we still feel the need to write down the password somewhere. Dont we?

Enough of this today, I will write about ways I use to securely store these passwords in one of my future post and it will not be an advertisement of a product/solution that you need to buy.

I will also demonstrate (step by step guide) to you how your password can be read over the network when it is passed over a non SSL channel in yet another post. I also did not touch over the potential problems caused when passwords are stored insecurely at the server. But I guess I dont need to. But I will talk about one of the most commonly used techniques used by websites to store your passwords and how vulnerable they are.

Stay tuned! Your thoughts and ideas are welcome.

While installing Wordweb today, I came across one of the most interesting software licensing terms and conditions that I ever read so far. It says:

You may use the program free of charge indefinitely only if

* You take at most 4 flights (2 return flights) in any 12 month period
* AND you do not own or regularly drive an SUV (sports utility vehicle).

If you do not qualify you must uninstall the program after the 30-day trial period or purchase WordWeb Pro. The license is designed to provide a small incentive for people with massively unsustainable emissions to cut down.

Whenever a user no longer meets the above requirements, and they have installed the product for more than 30 days, they must uninstall the product or purchase WordWeb Pro; otherwise it is software theft.

Read the full license agreement here.

I am installing this product after more than 3 years and I dont remember what it was at that time. In my opinion its a very noble way to spread awareness. The other related software that I heard a few months back was Blackle - Energy Saving Search, which at the time of writing this blog claims to have saved 187,619.780 Watt hours of energy.

Wordweb is a free English thesaurus and dictionary for Windows, and can be used to look up words from within almost any program in just one click. You just select the text in your document or the browser and just left-click on the WordWeb icon on your task bar and it opens up the dictionary entry. In my opinion it is a must have thing for your PC.

vi (or vim) they say is very powerful. I wonder sometimes : "Why is everything that is supposed to be powerful has remained unexplored by me?"

Though I prefer xemacs more than vi but end up using vi many times. I recently learned that I could find a file from inside vi. Many time we do a #include "xyz.h" in our C/C++ programs and we want to jump to that file directly. Move your cursor over the file name and type [Esc]gf to open that file right into your vi. It is not necessary for the file to be in #include. It could be anywhere and its not C/C++ specific.

The way it works is vi searches for the file in the path variable. This is not the PATH environmental variable. This is a vim specific option which generally defaults to .,/usr/local/include,/usr/include/. It searches your currently directly fist and then the default system include dirs.

You can add your own search able dirs to the path variable. If you want to include /home/shuva/include or ./include (meaning the include dir from your current working dir) you can set the path option like this:

:set path+=/home/shuva/include,./include

Dont ask me how to go back to the file you have been editing. I don't know and if you find it please write it up in the comments section below. I will be thankful.

If you want to explore more on smart vim tricks read the Vim documentation at sourceforge..

The program crashes with a bad segmentation fault.
You try hard looking at the code and run over it many times and dont see the error so easily.
So you attach your favorite debugger and step through it and it does not crash.

For a developer, this scenario is very irritating. You become almost helpless when the tools that are supposed to detect flaws in your code dont.

There are many reasons why a program does not crash in your debugger. Today I will demonstrate with an example one of the "N" reasons why this could happen.

A little basics:
A Segmentation fault (SIGSEGV) occurs when a program attempts to access a memory location that it is not allowed to access, or attempts to access a memory location in a way that is not allowed.

It is possible that you or your debugger performed certain actions that has made a memory location readable or writable. Once this happens, then the code which used to seg-fault will run smoothly user the process space of the debugger. When you start a debugger like gdb, you have the ability to read data from any memory that you can access, provided you as a user has permission to do so.

The program you wrote must not have set permissions to access certain memory areas and may be trying to read from that memory.

Our example today is based on two processes, one writer and the other reader and they use POSIX shared memory to pass a message to the other.

The writer creates a shared memory segment. If it exists, it deletes it and creates a new segment. It then attaches to it, write a few bytes of data and detaches.

The reader attaches to the shared memory and tries to read the data and print. it then detaches and destroys the segment.

Thats all our program does. Below is the code straight from my build-box. You can simple copy and compile using the Makefile below. Discussion follows below ....


Code:
------------------------------------------------------------

/* myshm.h */
#ifndef SHM_H
#define SHM_H

#define MY_SHARED_MEM_NAME "/my_shared_mem_name"
#define MY_SHARED_MEM_SIZE 1024 //1 kb
#define READER 0
#define WRITER 1

void* Attach(int rw_flag);
void Detach();
void Destroy();
void Write();
void Read();

#endif

----------------------------------------------------------

/* myshm.c */

#include <stdio.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include "myshm.h"

void* mem_start = NULL;

void* Attach(int rw_flag) {
	int ret = 0;
        int fd = 0;
	int shmExists = 0;

	if (rw_flag == READER) {
                fd = shm_open(MY_SHARED_MEM_NAME, O_RDWR ,S_IRWXU | S_IRWXG);
                if (fd == -1) {
			printf("Shared memory does not
                               exist..\n");
                        return NULL;
                }
	}

	if (rw_flag == WRITER) {
        	fd = shm_open(MY_SHARED_MEM_NAME, O_RDWR | O_CREAT | O_EXCL,                              S_IRWXU | S_IRWXG);
       	if ((fd == -1) && (errno == EEXIST)) {
			Destroy();
			fd = shm_open(MY_SHARED_MEM_NAME, 
                                      O_RDWR | O_CREAT, 
                                      S_IRWXU | S_IRWXG);
			if (fd == -1) {
				return NULL;
       			}
		}
	} else if (fd == -1) {
		return NULL;
        }

	if (rw_flag == WRITER) { 
        	ret = ftruncate(fd, MY_SHARED_MEM_SIZE);
        	if (ret == -1) {
			return NULL;
        	}
	}

        mem_start = mmap(0, MY_SHARED_MEM_SIZE, PROT_WRITE, MAP_SHARED, fd, 0);
        if (mem_start == MAP_FAILED) {
		return NULL;
        }

        ret = close(fd);
        if (ret == -1) {
		return NULL;
       	}

	printf("Attached to shared memory at:%p\n",mem_start);

	return mem_start;

}

void Detach() {
	printf("Detaching...\n");
        munmap(mem_start, MY_SHARED_MEM_SIZE);
	return;
}

void Destroy() {
	printf("Destroying shared memory..\n");
        shm_unlink(MY_SHARED_MEM_NAME);
}

void Write() {
	printf("Writing into shared memory..\n");
	char* data = "NETOTTO";
	memcpy(mem_start, (void*)data, 8);
	return;
}

void Read() {
	printf("Reading from shared memory..\n");
	char data[8];
	memcpy(data, mem_start, 8);
	printf("Data is: %s\n", data);
	return;
}

-----------------------------------------------------------

/* Writer.c */

#include <stdio.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <errno.h>
#include "myshm.h"

int main() {
	
	int ret = 0;
	if (Attach(WRITER) == NULL) {
		perror("Error attaching to shared memory\n");
		exit(1);
	}
	Write();
	Detach();
	return 0;
}

------------------------------------------------------------
/* reader.c */

#include <stdio.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <errno.h>
#include "myshm.h"
int main() {
	
	int ret = 0;
	if (Attach(READER) == NULL) {
		perror("Error attaching to shared memory\n");
		return(1);
	}
	Read();
	Detach();
	Destroy();
	return 0;
}

-------------------------------------------------------------
/* Makefile */

default: all

all: writer reader 

writer:	myshm.o  writer.o
	g++ -g myshm.o  writer.o -lrt -o writer

reader: myshm.o reader.o
	g++ -g myshm.o  reader.o -lrt -o reader

myshm.o:	myshm.h myshm.c
	gcc -c -g myshm.c

reader.o: 	reader.c
	gcc -c -g reader.c

writer.o:	writer.c
	gcc -c -g writer.c

clean:
	rm -f *.o reader writer

-----------------------------------------------------------

This is what happens when you run the writer followed by the reader.

[root@shuvavmrhel ]# make
gcc -c -g myshm.c
gcc -c -g writer.c
g++ -g myshm.o writer.o -lrt -o writer
gcc -c -g reader.c
g++ -g myshm.o reader.o -lrt -o reader

[root@shuvavmrhel ]# ./writer
Attached to shared memory at:0xb7fff000
Writing into shared memory..
Detaching...

[root@shuvavmrhel ]# ./reader
Attached to shared memory at:0xb7fff000
Reading from shared memory..
Segmentation fault
[root@shuvavmrhel ]#

The core dump file would suggest that the segmentation error in question is coming from the function Read():myshm.c at the memcpy() statement as shown below:

void Read() {
printf("Reading from shared memory..\n");
char data[8];
memcpy(data, mem_start, 8);
printf("Data is: %s\n", data);
return;
}

It is obvious that for some reason we are not allowed to read from the memory pointed by mem_start. If you run gdb and reach this line and try to access the memory pointed to by mem_start, it would display as follows:

81 memcpy(data, mem_start, 8);
(gdb) x/2 mem_start
0xb7fff000: 0x4f54454e 0x004f5454
(gdb) n
82 printf("Data is: %s\n", data);
(gdb) n
Data is: NETOTTO
84 }


You can now proceed with the gdb session. The memcpy works and we can see the data string "NETOTTO" printed for us.

No segmentation fault.

This is because when the reader memory mapped the shared memory into the process space, it did so with only the PROT_WRITE flag and not PROT_READ flag.

mem_start = mmap(0, MY_SHARED_MEM_SIZE, PROT_WRITE, MAP_SHARED, fd, 0);

The correct statement should have been

mem_start = mmap(0, MY_SHARED_MEM_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);

In gdb however, since we accessed the memory using the x/2 gdb-command, gdb acquired the read permissions and effectively the rest of our program which is running in the same space got the read permission for that memory segment. So it does not fail.

If we dont use the x/2 command in gdb, we would get the fault in gdb too.

This is a very important thing that I have learned and I am writing it here so that I dont waste another half a day scratching my head to figure out what went wrong.

Thoughts?

Powered By ReadTheWords.com
Today as I start my Netotto blog, I thank all open-source software contributers, to start with, with Alexander Palmo, the author of the Simple PHP Blog. This blog wouldn't have made it live so soon without his contribution. I will talk more about Netotto and Simple PHP Blog sometime later.

Talking and thinking of open source software, I was wondering the other day -- "Which is the one open source software which has helped me the most?", filtering the Mama of all Open source, Linux. I was specifically thinking of applications and tools.

I, like most software developers, use a lot of open-source tools/applications, and take these freebies for granted. Coming to think of it hard, they have made life easier for me so many times. They helped me earn my bread and butter too.

So, which is my favorite? Cygwin.

Yes Cygwin.

When I entered the IT industry as a software developer 7 years back, I was working on UNIX for the first 3.5 years. College was also all UNIX. Windows was only for checking emails, playing games and chatting (IM). When it comes to work, I was quite afraid of windows.

After three years, when I changed my job, they gave me a box with Windows 2000 Professional and I found myself working like a handicapped person. It was difficult to move the mouse all day long. I did not even know how to write simple tools in DOS. Without shell and Perl, my productivity was taking a hit.I was missing something seriously.

But fortunately it was a pleasant accident to stumble upon Cygwin while Googling. This tool claimed that I can run any UNIX command on my windows machine. Its an emulator. Since then I have never been able to live without Cygwin at my workplace or even at home.

For those those who dont know what Cygwin is, you must visit its website to find out more, but here it is as I see it.

In layman's terms:

Once you install Cygwin on your Windows box, and start the app, it opens a window just like your Windos Command Prompt. At this command prompt you may RUN ALL UNIX COMMANDS AND WINDOWS COMMANDS. dir or ls. It works. You can even change and see file permissions in rwxrwxrwx formats. Dont believe it. Try it.

All my UNIX scripting languages, XEMACS editor, vi, Perl, Bash, gcc, everything that a user on UNIX can think of is available on your Windows box. For a moment you think, WOW --this is called cross breeding.

Click the icon below to have a look:

(If you are wondering what /usr/bin/gcc maps to in my C drive, it is actually C:\cygwin\bin. In short, the way you see files on your Windows OS is made usable for you in UNIX format)


In technical terms:
# Cygwin is a Linux-like environment for Windows. It consists of two parts: A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality.
# A collection of tools which provide Linux look and feel.
# Cygwin is not a way to run native linux apps on Windows. You have to rebuild your application from source if you want it to run on Windows.
# Cygwin is not a way to magically make native Windows apps aware of UNIX ® functionality, like signals, ptys, etc. Again, you need to build your apps from source if you want to take advantage of Cygwin functionality.

Add to Cygwin a Window Manager over an X Server, you have a Linux-KDE or your Exceed(HummingBird) like environment on your Widnows desktop. Can life be more cool free of cost?

There are many free Window Managers available like Cygwin/X, CyGNOME, KDE-Cygwin. However, I personally have been using WindowMaker and so far I haven't faced any trouble using it.It consumes about 4MB of your RAM with no applications loaded and when left idle, the memory usage goes down to 1.5MB. 99% of the times I use the WindowMaker just opening multiple ssh sessions. I generally work with multiple UNIX servers and end up having 10+ ssh logins neatly organized over work-spaces. Being an X manager, you could also set the DISPLAY and open UNIX GUIs on your X, but thats very rare for me.


Installation tricks and hacks:
If you are going to install Cygwin and WindowMaker, here are some of the tricks and hacks which might be useful.

1. Downloading Cygwin is the first step. You get the setup.exe and run it. Choose to download all files first and then install in another session of setup.exe. While downloading I would suggest you download all packages (650MB+). The package choosing part is not very obvious to most first time users. You need to click on a rounded arrow as shown in the screen shot below. Wait for a few seconds after you click. Wait till it all becomes "Install".

The screen shot by default will be.

Click the rounded arrows to make it look like:


The same trick holds true while installing. Keep you Download dir and install dir separate. I generally choose C:\Downloads\cygwin and C:\cygwin respectively.

I haven't seen a single team member so far who did not do this mistake the first time.

2. While installing WindowMaker, you need to build it the GNU-style. configure, make, make install. While running he configure script, if you get permission denied errors, go to the WindowMaker dir and get write permissions for yourself. There is a high chance you will get this error, if you are using Windows XP and are logged on in a domain.

3. While running the configure, run it with the --enable-kde option. You will get a lot of useful kde-like GUI on your X.

Once you are done with make-install, you type in the following commands:

x& --- this will start your Xserver.
wmaker& --- this will start the Windowmaker.

If you dont face trouble while running wmaker and see a purple workspace on your X, you are lucky. You are however very likely to get the two following errors:

1. Display not set. To fix this type:
export DISPLAY=localhost:0.0

2. You get lots of errors like "Could not create directory". This will most probably happen if you are at office and not at home. This is because you have a space in your home directory. Example: "C:\Documents and Settings\shuva". wmaker apparantly does not like spaces in the path. It actually tries to create a dir called GNUstep" where it would keep all preferneces. You can override this by setting the environmental variable GNUSTEP_USER_ROOT. I keep it in my C:\Documents and Settings\shuva\.bashrc file.

alias ll='ls -l'
export DISPLAY='localhost:0.0'
export GNUSTEP_USER_ROOT='/usr/local/GNUstep'


So whenever you start your computer fresh you do these steps:
1. Double click on the Cygwin icon on your desktop.
2. source .bashrc
3. x&
4. wmaker&

It may appear that its a pretty difficult thing to setup in your computer, but it actually is not. Once you start using the power of cygwin.dll on your Windows box, you will know what its worth.