When I first heard about quantum cryptography, I started thinking about evolving authentication key, a door key that changes shape when it is used. Such a key cannot be copied and used without alerting the original key owner because the matching lock changes in sync.  Actual mechanism used to evolve the key and the lock together is implementation specific.

Evolving password is an evolving authentication key in that password will change each time it is used to login successfully. Since a password is essentially a shared secret, evolution of password involves another shared secret: challenge. One way to implement evolving password in an webapp is for the webapp to generate and send the challenge in the password form field.

I've been thinking lately about combining evolving password idea with Stanford Security Lab's web password hashing (PwdHash) idea. But I am not sure when and if I'll have time to build a prototype though so I am blogging it to relieve the stress of creativity. 🙂

Why is it that Outlook won't let me add notes to email messages I received? For that matter, I don't see why email messages and contact informations have to be stored in their own proprietary containers. Just following a trail of thought here. I'll explore this more later.

I am trying to recover from my main PC's hard disk crash so I'll be out of sight until the mess is cleaned up. The matter is made worse because I have been lax with backups. At this point, it looks as if it was a drive head crash which wiped out only 75 blocks out of millions of blocks. Unfortunately, at least a few of the blocks are needed to boot so it's dead for the moment. sigh.

Update:

I am now using SpinRite 6.0 to examine and attempt recovery of the unreadable sectors. If it does it's magic for me, $89 is well worth it and I would be more than happy to add my testimonial to the long list at Steve Gibson's geeky website. It's awefully slow though. Maybe it's because the drive is a SATA drive, not an IDE drive. So far, after 4 hours, it's 1% complete. 9 bad sectors found were found in that time but none were fully recoverable. Urgh.

Update 2:

SpinRite now estimates that it will take 395 hours to finish. Egads. Looks like I am gonna have to ask Steve for a refund. 😦

Update 3:

Gave up on SpinRite as it took 12 hours to process 2% of the disk. Recovery wise, it was unable to recover most of the bad sectors it found during that time. A bad sign. I went to Fry's a few hours to pickup a copy of XP Pro (couldn't find the CD at a glance and didn't feel like spending an hour looking for it) and a couple of 250G SATA drives. Installed one drive and attempted to install XP only to find out that XP didn't recognize the new drive because it didn't come with SATA drivers. Only way to to load the drivers was with a floppy. Found bunch of floppyless XP install questions but not many answers without a working Windows. So I ripped one out of an ancient abandoned PC in the garage and, after a bit of grunting and cable madness, got it installed, found the SATA drivers from Intel, fast forward and I am now entering the product key. Whew! I sure hope the files I need on the crashed drive are still there, intact.

Final Update:

Hurrah! Every more twist and turns, much of it due to Dell's mediocre driver slip-streaming practice which leaves store box XP installers clueless, system is back up with every device working. And I like the new faster quieter drives I got. Now all that remains is reloading all the software like Office, Visual Studio, and development tools. The best part is that none of the files I needed on the crashed drives seem damaged. I won't know for sure until I start opening and compiling them, of course.

When North Korea invaded on June 25th, 1950, South Korean army was caught ill-prepared and retreated south, primarily fighting to buy time for help to arrive. UN acted unusually quickly and UN forces, mostly American, started pouring into South Korea. But it was not enough to reverse the tide. By August, UN forces were cornered around Pusan.

On September 15th, 1950, General MacArthur struck back with a daring landing at Inchon.

It was one of those frightening yet inspiring moves that every wannabe-generals (including me) dream of.

Each of those red flames are icons of bravery and sacrifices.

The remarkable landing at Inchon turned the tide of the war. In 1957, a statue of General MacArthur was erected at Freedom Park looking out toward Inchon harbor.

Sadly, some misinformed liberals are trying to remove the statue.

Pro-North Korea website like this one has been spreading misinformation and alternate history among Korean youths and socialists. Liberal news organizations like OhmyNews (lots of good pictures here) hasn't been helping either by spreading biased yet compelling views and exercising non-neutral editorial practice. While Korean conservatives and war veterans, like my father, are rallying against them, they are doing so with their versions of history filtered and transformed by their personal biases and overflowing emotions.

That's citizen journalism and personal publishing at work. Powerful technologis are like steaming teapots. They can make great tea on four legged table, but what if the table had only two legs?

I guess what I am trying to say is:

• Webpage is not truth
• Pagerank is not trust

The Web is appropriately named, for it can catch you as well as inform you.

Like everyone else, I don't see the justification for Skype valuation in the billions. It's technology and service is not compelling enough and there are technical and quality issues. And it's biggest asset, the user base, is a sandcastle: it will get washed away at the next big wave of free higher quality services.

I think the really valuable real estate in the VOIP market is not the VOIP service but the VOIP directory and routing services. VOIP directory service enables me to make and receive calls regardless of which VOIP service I am using. VOIP routing service lets me easily switch device and route calls.

To get that started, I think the easiest path is to use real world phone numbers as VOIP endpoints instead of using VOIP service-specifc handles like Skype ID. Endpoint claims and disputes are resolved using phone-based authentication.

I couldn't quite grasp the magnitude of the disaster at New Orleans so I searched for satellite pictures and found them at GlobeXplorer. I couldn't believe what I saw: an entire city flooded.

Before Katrina (March 9th, 2005)

Courtesy of Digital Globe

After Katrina (August 31st, 2005)

Courtesy of Digital Globe

You have to compare the two in detailed image (click-through on the images above) for the full impact. All those houses, block after block, across the entire city, every each one of them some family's home. OMFG.

I think what they need is more immediate than donations. They need a nationwide convoy to deliver food, water, and supplies there and then use the cars to move people out of the area. They need volunteers with cars and trucks to go there and people to buy goods to fill those vehicles with. Is anything like that being organized?

Update:

Sad parade of pleas for rescue and reports of roaming armed gangs.

DWR – AJAX framework for Java. Easy to use.

XFire – New SOAP framework for Java. Fast and simple.

Spring – application framework. Great for easy configuration and wiring of components. Has built-in support for JMX.


Drools – RETE-based Rules engine. Fast.

ServiceMix – Enterprise Service Bus. Works well with XFire, Spring, and uses Drools for smart routing.

BIRT – Jasper-like reporting tool for Eclipse. While Jasper still rules, BIRT is starting to look good. Includes J2EE report output runtime as well.

That's all for now.

Given my recent tinkering with Ruby and Rails, Tim Bray's mention of JRuby made me check it out. Its supposedly compatible with Ruby 1.8.2 and supports most builtin classes and BSF (Java world's common scripting language harness).

There are some interesting experiments going on in the JRuby world such as integrating Spring Framework into JRuby which allows Ruby objects to be weaved together using Spring configuration. There weren't many references to Rails on JRuby though.

While searching, I also ran into an article comparing the latest crop of Java-based scripting languages.

Choosing a Java scripting languange: Round two

<

p dir=”ltr”>Here is a performance comparison chart from the article which I found interesting:

As you can see, current implementation of JRuby is really slow. But I think its performance should increase to be comparable to Jython after a few round of optimization.

What surprised me was how fast Rhino has gotten. Rhino smoked all other languages on the chart except Java! I haven't looked at Rhino since version 1.5 but I got another good news when I looked up this morning: Rhino 1.6R2 (latest stable version released ten days ago) supports ECMAScript for XML (see Jon Udell's Introduction to E4X) which makes XML first class citizen in JavaScript language. Very nice.

Mid-experience comment on Ruby syntax: so far it feels better than Perl but worse than Python. I am finding Ruby code difficult to read and focus on. Endless jutting ends and seemingly frivolous abuse of special characters annoying too. Expressions like:

class Dog < Animal

creates conflicting echos in my head because meaning of '<' in general conflicts with it's meaning in Ruby. Differences can be explained away but I think the designer of Ruby language don't realize that logic does not dance on eyelids. Damn. I am slipping into poetic zen mode again. Help!

Apparently, hot from the oven:

Setting up a Rails Development Environment on Windows Using Eclipse.

My only complaint is that setting up external rails commands is rather tedious and commands have no guard rails (sorry) due to command line level integration with Eclipse.

NOTE: I am not completely sold on Ruby nor Rails. I am playing around with Ruby on my breaks just to get the bitter taste of real world engineering out of my mouth.

Update:

WEBrick is usually shut-down with control-C but since it is launched as a Eclipse external tool, it has to be shutdown directly from the Eclipse Debug view.

Currently deployed contactless credit card are vulnerable to bump-and-relay attack. Roaming harvesters, equiped with modified readers that relay signals into a stolen transaction exchange network (STEN), bump into a contactless credit card carrier. Roaming spenders, equiped with a device that replays contactless card signals relayed through STEN, make purchases anywhere contactless credit cards are accepted. STEN matches harvesters and spenders on-demand.

Note that this vulnerability is not high risk for card issuers because:

• Most contactless payment cards are currently used for small amount transactions of limited types (i.e. tranportation, vending machine, etc.)
• STEN is difficult to setup, avoid detection, and defend.
• Profit sharing at large scale is difficult.

Still, I could see small scale localized operations happening because the cost of investment and risk of capture are both low IMHO. Thankfully, there are several solutions to this vulnerability, some of which are already being implemented.

One obvious solution is to require two-phase commit for transactions above certain size. Another more low-tech solution, which I have not seen anyone propose yet, is to provide RF-shield sheath for cards so they can't be read unless the cardholder takes it out. I like this soution the best because:

1. It's simple and effective
2. No change is needed to existing systems.
3. Solves the multiple-contactless-cards-in-a-wallet problem as well.
4. Creates branding/marketing opportunities.