Surfing on waves

Yesterday I got my Google Wave invitation. Of course I immediately signed-in and started digging around. Actually, there isn't much to see, especially since I have only 6 contacts there, and I'm in real contact with only 2 of them. That's not enough people to "wave" with, so I send some invites to some more people which requested invites before, and didn't get them. It appears that the invite process is taking a few days, so I'm still quite alone there.

Anyway, along with this other person, I started checking out all of those features promised in the intro video. Many features aren't implemented yet, which makes the experience very incomplete. Most importantly, I was hoping to publish this post from Google Wave, but the plug-in simply does nothing.

After a few hours of blipping, we got this one giant wave, which is very much not readable, and there's no way of understanding what's going on within. The fact you can post replies in the middle and anywhere else makes it very difficult to follow. Also, you must use keyboard shortcuts if you really want an uncrippled experience.

Finally, I can say that while I am excited to be part of this beta, I think this platform isn't revolutionary. It's a nicer way to have email (like GMail interface is better than Outlook), and an awful way to do IM. Perhaps when the plugins would work it'll be better.

Connected Home

Right now I'm sitting in the living room, with my laptop, writing these lines and having some background tabs in the browser which stream some TED talks and YouTube videos. Girlfriend is near the PC, streaming some Internet radio while searching the web for stuff. My cellphone (Nokia N95) is connected over the WiFi and runs fring and occasionally some other apps which requires Internet access. The popcorn hour (a topic for another post) is on, pulling some software from the net as well. Everything works perfectly smooth. I have an Internet-enabled home. Wait, where do I find a WiFi-supporting toaster?

Do you trust your AntiVirus?

I know the topic of "how crappy signature based AVs are" is already beaten, and there are thousands of other posts about it, but I had to give it my own perspective.

But first, I guess you are running an OS which leaves you no choice but having an AV running. Otherwise, you're probably reading this for fun and knowledge, which is even better.

The vulnerability I'll be discussing about is quite old now (8 months), and is about the way Adobe Acrobat Reader parses PDF files with JBIG streams within. You can read an analysis of the vulnerability in other places. Since this isn't a new vulnerability, you'd guess that by now AV products would be able to block it well. You guess wrong.

I've taken a sample which is generally blocked by most AV products, and did a little modification to the 5th byte in the stream. The modification left the 6th bit on, so the file is still malicious. Now have a look at the first picture below - only 1 AV caught it as malicious.

Let's make another modification and change some few more bits, still leaving the 6th bit on... drum roll... not even a single AV did the job (second picture below). The file has passed and could potentially exploit the unsuspecting user who believes that having a decent AV would keep him safe.

Improving impression in job interviews - Part 2

Only recently I discussed about the possibility of improving the impression at job interviews using credit you earn in online activities. Now it gets another approval. Today Jeff Atwood declared some sort of integration between StackOverflow and one's CV. This is another way for a potential employer to get a better understanding about just how good you are, even before you get to the interview.

Having a respectful StackOverflow/SuperUser/ServerFault account might prove itself useful the next time you look for a job.

Respect

Usually I don't publish stuff I do at work in this blog, since we have a different blog for that, and most of the stuff doesn't justify re-writing or there's nothing I can elaborate.
This time it is different, since Bruce Schneier has quoted us, which is something that's considered as a great respect in the security community.

The URLZone trojan is very sophisticated, since it fakes the displayed balance in the bank site, so the end user could never tell the money was stolen. Also, the trojan uses the current opened session to the bank, so it doesn't need to send the account credentials nowhere.

If you like to read a great technical analysis of this trojan, you can find it in our blog.

The SMS will die

For sometime now I've been using fring on my Nokia smartphone to communicate with my IM buddies. I can tell it is very convenient, and VoIP quality for both Skype and GoogleTalk is excellent.

Since most 3G subscribers today also pay for a data plan (which basically means - Internet traffic), applications such as fring would become more and more popular. Leaving it on for the entire month, just for texting, wouldn't drain even the most basic data plan. Using it for some VoIP calls would push the bandwidth usage and might bring it to the limit. Even so, using SkypeOut or GoogleTalk instead of long distance calls would make the price of a larger data plan quite reasonable.

I believe that eventually everyone would be connected to their IM service(s) while using a mobile device, and would use it for text messages. This would probably mean that the SMS would die, as it wouldn't make sense anymore to pay (even if it is only few cents) for 140 chars anymore.