Saturday 5 December 2009

Twenty-Two (OMG) Google Wave Invites [UPDATED]

I've got 6 22 invites for Google Wave.
Google Wave is a infrastucture allowing users to communicate and collaborate, in real-time.
Down here a very loooooooooong video of the last Google IO, in which some engineers are showing the wave technology capabilities.

Google Wave is particularly suitable for:

  • Organizing events
  • Brainstorming with other people
  • Sharing photos
  • Taking meeting notes (ensuring all people have all the details, for example)
  • Playing interactive games
The features can be expanded, writing plug-ins and now supports spell-checking and translation in different languages.
All communications are based on the Google Wave Federation Protocol. This protocol aims to become a standard element to be used by different implementations of "Wave" applications.
For the invites, please leave comment this post.
The first 6 (remember to place your email in the post form, a gmail one is required) users will receive an invite.
Tell me how did you reach my blog and if you were following me in some way (feed, visiting the website, etc...).
As Dr.Google Wave adverts:
Invitations will not be sent immediately. We have a lot of stamps to lick.

Wednesday 2 December 2009

Chrome OS - What is Google doing?

Well... Chromium OS is out!
As usual, it has been released by Google in the classic "Beta" style.
As they did with Google Android, but having a different target: trying to get experience in a field  in which the company has never landed.
They're also trying to obtain some percentage of market, to annoy main competitors, getting published in a lot of newspapers and so on (read it as free advertising).
I had no time to test it, but all I can see is an increasingly interest of developers on checking it out, rebuilding and trying it in a virtualized machine.

It surely lacks in hardware support and configuration.
BUT a lot of people are remarking one thing: if the operating system is a safe and secured environment, nowadays all the activities can be performed via browser, in the cloud.
Better if Google switches users in the
Google made ChromiumOS (the correct way to say it should be: "placed together different open source projects and glued them by using their IP and ideas") announcing a secure operating system.
Schneier in this article said it was an "idiotic claim". Well... Maybe they wanted to say that the newborn OS, being Linux derived, will have less problems than Microsoft counterpart.
There's a page in the ChromiumOS Project website, in which Google tries to explain how security is implemented.
I'm quoting a part of it:

The perfect is the enemy of the good.  No security solution is ever perfect.  Mistakes will be made, there will be unforeseen interactions between multiple complex systems that create security holes, and there will be vulnerabilities that aren't caught by pre-release testing.  Thus, we must not allow our search for some mythical perfect system to stop us from shipping something that is still very good.
Deploy defenses in depth.  In light of our first principle, we will deploy a variety of defenses to act as a series of stumbling blocks for the attacker.  We will make it hard to get into the system, but assume that the attacker will.  We'll put another layer of defenses in place to make it difficult to turn a user account compromise into root or a kernel exploit.  Then, we'll also make it difficult for an attacker to persist his presence on the system by preventing him from adding an account, installing services, or re-compromising the system after reboot.
Make it secure by default.  Being safe is not an advanced or optional feature.  Until now, the security community has had to deploy solutions that cope with arbitrary software running on users' machines; as a result, these solutions have often cost the user in terms of system performance or ease-of-use.  Since we have the advantage of knowing which software should be running on the device at all times, we should be better able to deploy solutions that leave the user's machine humming along nicely.
Don't scapegoat our users.  In real life, people assess their risk all the time.  The Web is really a huge set of intertwined, semi-compatible implementations of overlapping standards.  Unsurprisingly, it is difficult to make accurate judgments about one's level of risk in the face of such complexity, and that is not our users' fault.  We're working to figure out the right signals to send our users, so that we can keep them informed, ask fewer questions, require them to make decisions only about things they comprehend, and be sure that we fail-safe if they don't understand a choice and just want to click and make it go away.

They are using sandboxing techniques and they will try to apply it even at lower operating system layers (such as drivers).

Monday 23 November 2009

MIT Open Course Ware

MIT OpenCourseWare is a web-based repository of MIT university course materials.
It is free, it doesn't require any registration. Obviously, you can't get any certificate or degree!

Others universities all over the world are sharing Course Materials: official ones are those affiliated to the Open Course Ware Consortium.

A great step towards education for all people is to make content and knowledge available for free and the smoothest way possible.

Contents are available as lecture notes, exams, videos, audio files...

It is also possible to contriute on this activity, translating contents in non-english languages or use them (giving the proper attribution to the original MIT Faculty Author/s).
Contents are released in Creative Commons BY-NC-SA License.

Monday 9 November 2009

Non-exploitable vulnerabilities at source code level

I am writing a small article describing a kind of vulnerability that can be used against Linux Kernel.
This is due gcc and its optimization procedures, in some cases, make some source code buggy.
Furthermore, in this case, if SELinux is enabled, the system becomes weaker.

The vulnerability is described here (by Brad Spengler) and it can be exploited in Linux Kernel 2.6.30+/RHEL5 2.6.18 in /dev/net/tun.
The implmentation (was, before being fixed):

struct sock *sk = tun->sk; // initialize sk with tun->sk

if (!tun)
return POLLERR; // if tun is NULL return error

As tun is dereferenced (to use tun->sk) the compiler assumes that tun is non NULL, so it removes the check for tun against NULL.
Avoiding the initial crash caused to bad initialization (using mmap and SELinux), it is possible to exploit the Kernel because there is no check against tun.

I can point You all to this blog, in which are described a lot of vulnerabilities (also silently fixed ones).
Milw0rm is another source of exploit notices.

Thursday 3 September 2009


Some good music... I wanted to add a mixtape but favtape is down.

Saturday 29 August 2009

How to localize Firefox 3.5.4pre (or latest)

You added Mozilla Firefox repositories to Synaptics and you're getting only the English version of the browser?
Searching for other stuff, I reached this place...

Get your xpi file and your Firefox will be localized!

Tuesday 21 July 2009

Google Android porting on x86 - UPDATE

Google Android version 1.5 (Cupcake) has been ported on the ASUS EeePc 701.
Two members of Google Groups, beyounn and cwhuang01 created a Google Code group named Android-x86, in which we are "branching" the original Google Android source code in order to obtain an updated, fully featured and working OS.
We were trying to make Cupcake boot on different NetBooks and/or VirtualBox VMs. So we decided to merge our works.
Current status:
  • Intel on-board VGA is working (with 2.6.30 Kernel it is possible to set the right resolution)
  • GPS USB Serial device is correctly binded to OS
  • LAN 100Mbit Network Adapter is working (both DHCP and static configuration)
  • WiFi Atheros 5k Network Adapter is working (both DHCP and static configuration)
  • USB Mouse (software mouse) and/or Keyboard works
  • USB Pen Drive or Memory reader can be mounted as SD Card
  • Audio is working (ALSA was not working due to a rebuild mistake in the Android Make System)
  • OpenGL-ES are going to be supported, there's a group of developers sharing their code here

Firefox 3.5.1 still exposing bugs

Firefox 3.5.1 represents a step towards a faster browser.
Several benchmarks show Safari 4, Opera 10 and Chrome as the fastest browsers on the market - I heard "Webkit rules" - and they only seem to lack in the plug-ins feature.
I'm not taking into account IE X.x because... I think it already exists only because is bundled into the most common OS in the world. And there's no reason to use it.

Anyway... After the first exploit (more here) soon patched by Mozilla team, we got a bug in JavaScript engine, not well managed in 3.5.1.
The issue is well described here and this time it is not useful for executing code (at the moment), but "only" for a DoS.
Possible workaround? Disable JavaScript, No-Script plug-in or switch to the older JavaScript engine from about:config, disabling javascript.options.jit.content. Choosing the 3rd option, there will be a drop in the overall performances of Firefox.

Thursday 11 June 2009

Friday 29 May 2009

Porting status and Canonical developers' news

The porting process of latest Google Android sources to ASUS EeePc 701 is almost complete.
Current status:
  • Intel on-board VGA is working ( 640x480 until 2.6.29 Kernel )
  • GPS USB Serial device is correctly binded to OS
  • LAN 100Mbit Network Adapter is working ( both DHCP and static configuration )
  • WiFi Atheros 5k Network Adapter is working ( both DHCP and static configuration )
  • USB Mouse and/or Keyboard works
  • USB Pen Drives can be mounted as SD Cards
  • Audio is not working ( surely an ALSA configuration issue )
Furthermore, our A.API is working. I cannot tell you anything more.

I read in some websites (ArsTechnica) Canonical developers are focusing their attention on run Android applications on Ubuntu.
That can be technically done by writing a Dalvik VM that lies over a Linux distribution.
Or using an emulator, but it exists and it is too slow. No optimization can guarantee a smooth execution of the applications.

Monday 4 May 2009

Android on Eee Pc

I am porting a Android to an ASUS Eee PC (fully featured, from source code downloaded on 3rd April).
I'll post few tutorials or something similar in next weeks.

You can know more here.

Blender Project

That's the "Computer Graphics" course project.
It has been my first time using Blender. It is a great editing tool, but it has a weird user interface (I'm not talking about Graphical UI).
Mainly, you must become a "Shortcut God". After that, following tutorials and some experience, you'll get some results.


Monday 16 March 2009

Robochecker published on Google Code

We are proud to announce that the whole source code and documentation about our "lego robot playing draughts" is on Google Code, exactly here.

The software has been written in Java, using leJOS API for controlling the NXT Brick.
It is possible to use Java by flashing a custom firmware on it.

It has been a great chance to improve our programming knowledge in Java (in source code you'll find a lot of code as implementation of threading, class factories, interfaces) and have fun.

Monday 26 January 2009

Google projects: permanent beta (or alpha?)

Google Mail: BETA!
Google Maps: BETA!
Google x | x is a Google project name.

Android was released as 1.0 version. No "BETA" word applied to it. But with the latest repository merge, they're loosing control of the huge number of sub-projects and modules of the project.
They are publishing code stubs, fulfilled with comments (not very useful in most cases), without any implementation example.

I hope Google is having strictly coupled information exchanges with big mobile devices manufacturers, or they'll soon branch the Android project, choosing their best way to implement what they need.