Milter Smelter, Wash Out with gSoap

I spent the whole weekend writing a milter (sendmail filter).  Everything was going great until I started making some SOAP calls from within the milter and, wham, I am getting that stupid 'Expecting 5' message.  Urgh.  It's not fun working with a sensitive piece of crap.

BTW, gSoap is a great library for implementing web service client or service in C or C++.  Only problem is that its rather disorganized so you'll have to waste some time figuring out what the hell is going on.

Taekwondo Rising

I thought above shot was the best Athens Olympic photo so far.  Chu Mu Yen, the guy in blue coming in for a landing after after delivering a brutal counter-kick, won Taiwon's first Olympic gold.  Nice kick and nice form during landing.

<

p align=”left”>Taekwondo was added as an official Olympic sport four years ago, but rules discouraged spectacular attacks and was hampered by distrust of judges.  For Athens, they changed the rule to encourage head or knockout attacks and made extra efforts to shore up quality of judging to good effect and Taekwondo is starting to become one of the most exciting Olympic events to watch.

Resend

I had a mail server relay problem which dropped incoming mail last weekend, yesterday, and part of today.  At first, I thought it was my network provider's POP3 server, but it turned out to be a problem with Docuverse.com mail server.  I think I fixed the problem so, if you sent me emails and haven't heard back from me or got a bounce, please resend.

PHPEclipse

PHPEclipse is an Eclipse plugin that turns Eclipse into a PHP IDE.  I don't usually do PHP work, but a close friend of mine asked me to review his company's PHP-based website so I had to review a massive body of PHP code within only a few hours I could spare.

While any text editor can be used to write PHP code, mere text editors are not enough when you don't have much time to cover a lot of code.  So installed PHPEclipse and found it to be really nice.  It checks syntax and helps you trace and navigate call hierarchies easily.  I haven't tried its debugging capabilities, but I was delighted enough with just the capabilities I used to recommend it to PHP developers.

BTW, I am not a PHP developer and I don't build websites for small businesses.  It's not that that is not a respectable business.  It's just that I don't like doing what millions of others developers can with adequate competence.  Yes, I am a prima donna of sort.

Eeeks! My Third Year!

I didn't realize today was my second blog anniversary until I got up in the afternoon and read Dave's posts.  Big thanks to Dave and Jeff for noticing.

I was getting a little annoyed with myself in the past few weeks because both quality and quantity of my posts have suffered lately.  Maybe it was the anniversary things.

Phishing behind Google

I just received a phishing email purporting to be from PayPal.  No surprise there since I get many of them everyday, but I looked closer at this one because it looked very professionally done.  I looked at the raw message and found this odd link:

This particular phisher is bouncing off Google to hide itself from domain name-based phishing detectors and scanners.  Clever.  Clicking on the link will open a browser to Google's URL search CGI which will automatically redirect the browser to the phishing site at IP address 209.152.181.10.  This trick will bypass phishing detectors that examines only the domain name part of a URL to see if it looks suspicious.

So the lesson here for security developers is to look at all the parameters and to keep track of oh-so-helpful redirectors like Google.  Also, website developers should keep in mind that helpful service is helpful to all, including the bad guys, and they might become an unwitting partner in crime.  For lawyers, it's a new source of income concern.

Open Source Inspectors

Open source is not inherently more secure than closed source.  If you have doubts about the preceding statement, Dare Obasanjo's The Myth of Open Source Security series of articles is a good place to start.

Two main problems I see from my perspective with open source security are that a) there are no compelling incentives for open source developers to examine the code, and b) they have to examine everything.  Even if all the developers are coerced into doing so, not everyone will do a good job and everyone is not the same as everything.

On the other hand, blackhats have compelling incentives to look at the code and they only need to look at a fraction of the code developers have to look at since they only need to find one vulnerability to hit paydirt.

While I agree with Dare on most points, I think his suggested solution of adopting software quality enhancing techniques and practices is unimplementable for most open source projects.  As software developers and managers, we tend to focus too much on how we doing things and what we use to get things done, meaning skills, techniques, and tools we use every day.  The open source movement is not about those things.  It's not about how or what but who, people doing things together.

Quality of open source software cannot be improved by asking people to wear straight jackets and drawing lines on the floor telling people where to go next.  Instead, we need to see the entire open source community as a global ecology and find subtle ways to change the antfarm environment so that the ants people will naturally respond in the direction that improves the quality of goods they produce.

One such solution is the introduction of open source inspectors backed by inspector rating and reward systems.  An open source inspector is a software engineer whose responsibility is to inspect the quality of software.  Unlike developers who tend to stay with a small stable of projects for extended periods of time, inspectors are gypsies who move from projects to projects.

Each inspector examines code for quality and security.  Result of an inspection is a report and a rating assertion signed by the inspector.  Rating assertions by an inspector ultimately affects the proficiency rating of the inspector.  Each bug or vulnerability discovered in the code they inspected lowers their proficiency rating.

Achieving and maintaining high proficiency rating is the lure reward motivating inspectors to dedicate a substantial portion of their time to inspect open source projects of their choosing pro bono.  If they are any good, they will find plenty of paying customers.

In summary, I am advocating the use of social engineering over software engineering to enhance open source security.  Designing, developing, debugging, and deploying social forces is the ultimate engineering profession IMHO.  The only problem with such a profession is that lifecycles of such 'wares' literally means lifecycles.