Karl's Technical Journal's Journal|
[Most Recent Entries]
Below are the 20 most recent journal entries recorded in
Karl's Technical Journal's LiveJournal:
[ << Previous 20 ]
[ << Previous 20 ]
|Sunday, January 22nd, 2012|
|Monday, December 6th, 2004|
Server-side mail filtering
Does anyone know of a simple way to filter emails with a certain header (like, "X-Spam-Status: Yes") into a specific maildir using a .qmail file? I seem to remember coming across a line that would do this, but after an hour or so of Googling, I can't find it. I'm sure that if it's possible, it's really simple and obvious, but my brain is officially dead tonight. I could do it with a perl script, but I'd rather not reinvent the wheel if I don't have to.
|Monday, July 12th, 2004|
|Wednesday, June 16th, 2004|
|Thursday, May 27th, 2004|
Camera phones as mice
is cool, although I don't see why it's limited to just spotcodes. Theoretically, I think you could apply the same algorithms that are used in optical mice to make camera phones work as input devices. You couldn't use them as traditional mice (unless you placed it on a self-illuminating surface such as a display), but you could detect rotations and (and to a lesser extent, translations) in three dimensions. Thoughts?
|Thursday, March 25th, 2004|
Google Knows All
Today I created an image (which I will link to later) of Visio being on crack (i.e. not displaying text or icons on its menus), and mentioned the URL only three times on IRC. A few hours later, I was looking through my web server logs, and somehow Google had discovered the file! As far as I know, it's not linked to anywhere (including any type of automatic index created by Apache). My two hunches are 1) Someone's making logs of the channels I'm in available on his/her web site, or 2) Google's toolbar is reporting URLs back to Google to be spidered later.
Come to think of it, it's probably someone using the Google toolbar with the PageRank(TM) meter turned on. When Google got a request for the PageRank(TM) of an unrecognized URL, it logged that URL to be spidered later. This has interesting privacy implications, because a secret URL you share with someone might not remain one (think naked photos and Google's image search).
|Saturday, March 13th, 2004|
Attention VNC geeks
graciously donated his old 17" monitor to me. Originally, I had planned to upgrade Melissa's old 15" monitor (in use as my second monitor) to malerin
's 17", and use the 15" for a computer in the bedroom, but then I had a better idea: If two monitors are better than one, three must be better than two!
Of course, my laptop only has one VGA out port, so I can only physically connect one extra monitor (the laptop's LCD serves as the primary display). So, I had an idea: connect one monitor to my (currently) headless Linux box, and use VNC to connect to my laptop and display the right-most third of my extra-wide desktop.
It turns out that there doesn't seem to be a good way to do that. Windows thinks there's only two monitors, so the desktop won't extend past what's visible by the first two monitors. I found a program
that uses a custom driver to do the same thing I want to do, but unfortunately VNC isn't able to see anything on the virtual monitor. I was thinking of setting my video card's drivers to use a virtual desktop that's bigger than the physically displayed one, but it seems that nVidia pulled that feature out of their drivers. I suppose I could always downgrade my drivers?
Anyway, it seems like the ideal situation would be to have a driver that emulates the video card, which would have two main advantages: my desktop would actually extend to a third virtual monitor, and the driver knows EXACTLY what's been updated on the display, so VNC doesn't have to keep polling. Ultr@VNC
seems to use this approach, but the driver is binary-only for some reason (while the rest is open source), and that kinda scares me.
|Thursday, February 5th, 2004|
|Sunday, February 1st, 2004|
New Userpic | Gratuitous Icon Post
I think my new userpic is rather self-explanatory. For those of you living in a cave or outside the US, the DMCA is a federal law that makes circumventing copy protection schemes, and devices that do so, illegal, among other things. Of course, the law tramples fair-use rights and has been greatly abused
This isn't an ordinary userpic, though. Save the userpic to your hard drive, change the extension to .zip, and see what happens when you open it. I won't ruin the surprise, so the explanation of why it works is below the lj-cut.( WTF?Collapse )
|Friday, December 5th, 2003|
Inside Check Numbers
As a follow-up to my previous post
on credit card account numbers, I decided to document what the funny-looking numbers at the bottom of your checks represent, including how to calculate the check digits.
First, you might be wondering exactly why the numbers are printed in such a weird font. The reason lies in how these numbers are read. Back in the 70s, when the current routing system was devised, computers were unable to optically recognize characters. A technology called Magnetic Ink Character Recognition (MICR) was created to allow computers to read these characters. As a check goes through a MICR reader, the ink (containing ferrous metals) is magnetized. The ink then passes over a read head, similar to one used in tape players. Each character gives off a unique waveform that can easily and uniquely identify the character being passed over the read head. Therefore, each character was designed in such a way so that it gives off a unique waveform, yet is still human-readable.
The Routing Number
The routing number, contained between the two routing/transit start/stop symbols (
), is made up of the following components:
| XXXXYYYYZ |
|XXXX||Federal Reserve Routing Symbol|
|YYYY||American Bankers Association Institution ID|
The Federal Reserve Routing Symbol
Usually, the first two digits of the Federal Reserve Routing Symbol indicate which of the twelve federal reserve districts
the bank is in. Numbers in the range of 21 to 32, indicate a "thrift institution," although assignment of these numbers was ended in 1985. To get the Federal Reserve district number from one of these numbers, simply subtract 20. For example, if the first two digits is 32, it indicates it is a "thrift institution" in the 12th Federal Reserve district (the western US). Routing symbols that start with 00 indicate the check is issued by the US government (except federal banks). Routing symbols that start with 80 are reserved for travelers checks, and all others are reserved.
The third digit of the Federal Reserve Routing Symbol indicates which branch office of the district the check should be routed through. A 1 indicates the main office of the district, with digits 2-5 indicating a branch office. For example, in the 12th Federal Reserve district (the western US), 1 indicates San Francisco, 2 indicates Los Angeles, 3 indicates Portland, 4 indicates Salt Lake City, and 5 indicates Seattle.
The forth digit indicates the availability of funds. A 0 indicates immediate availability, a 1-5 indicates which state in the district the paying bank is located, and a 6-9 indicates a special collection arrangement.
The Federal Reserve Routing Symbol is the denominator in the transit number printed in the top-right corner of a check.
The ABA Institution ID
The full ABA institution ID is actually made up of two parts, separated by a dash. You can find the full ABA institution ID printed in the upper-right hand corner of your checks, as the numerator in the transit number. For example, it may look like: 96-1234. The part before the dash (the prefix) indicates the city or state the bank is located in. Numbers from 1 to 49 represent cities, while numbers from 50 to 99 indicate states. For states, numbers 50-58 represent eastern states, 59 represents Alaska, Hawaii, and US territories, 60-69 represent southeastern states, 70-79 represent central state, 80-88 represent southwestern states, and 90-99 represent western states.( A full list of the ABA prefixesCollapse )
The second part of ABA institution ID is limited to 4 digits, and is included in the MICR routing number. Since there are more than 10,000 institutions in the US, this number is obviously not unique to an institution. However, it is assigned so that it is unique inside the ABA prefix and Federal Reserve branch office area. Therefore, its meaning is not ambiguous inside the MICR routing number.
The Check Digit
The check digit ensures the number was read or keyed in without error. The algorithm used to compute the check digit of the routing number is as follows:
Take the first, fourth, and seventh digit, multiply them by 7, and add them to the total.
Take the second, fifth, and 8th digit, multiply them by 3, and add them to the total.
Take the third and sixth digit, multiply them by 9, and add them to the total.
The check digit is the 1s digit of the total. Note that if you take the check digit, multiply it by 9, and add it to the total, the sum will be evenly divisible by 10.
The Account Number
The account number precedes the ANSI "on-us" symbol (
). The check digit algorithm is the same as the one used to verify the routing number. However, because account numbers are of variable length, it can be somewhat tricky to determine which multiplier to use with what digit. The best way to go about it is to work backwards from the last digit of the account number, not including the check digit. Working backwards, the pattern of multipliers is 3-7-9. For example, if you have the account number 123456, you would compute the check digit like so:
Sum of products = 121, which means the check digit is 1. Current Mood: hot
|Friday, November 14th, 2003|
Inside Credit Card Numbers
On request, here's a breakdown of how credit card numbers are generated. This also applies to Visa and Mastercard debit cards. Note that this is all public knowledge, and can't alone be used to generate real credit card numbers.
We'll use the sample card number 4567890001234518 as an example throughout this entry.
The first digit indicates the "industry type." For credit cards, this is either 3 (AmEx/Diners/JCB), 4 (Visa), 5 (Mastercard), or 6 (Novus/Discover), depending on the card type. All ISO-compliant cards respect this first digit so duplicate card numbers aren't generated.
The next-five digits usually indicate the bank id. For example, the bank id of our sample card number is 56789. Sometimes part of the bank id is used to further identify the type of card (so that one industry type digit can accomidate more than one type of card), and some large banks have more than one bank id. Some cards (mainly Novus/Discover, Amex, Diners, and JCB) use part of the bank id as the customer account number. Below is a table summarizing the industry type digit, valid bank id ranges, and total number length for each card type:
|Card Type||Industry Type Digit||Valid Bank ID Range||Length|
|Visa||4||00000-99999||13 or 16|
|14 or 16|
Keep in mind that this table may not be completely up-to-date, especially for card types with a relatively small range of bank ids.
The remaining digits (except for the last one) are the customer account number and are at the discretion of the card issuing bank. For debit cards, it is common (but not required) for all but the last digit of the customer account number to be your bank account number, and for the last digit to be a subaccount number, which is either sequential or random and can be changed if you lose your card and need a new number. For example, the bank account number of our sample card is 00012345, and the subaccount number is 1.
Finally, the last digit is the check digit, designed to ensure the card number was entered/read correctly. This digit is computed based on all other digits in the card number. The algorithm for computing the check digit is as follows:
|Take every odd-placed digit||4 6 8 0 0 2 4 1|
|.. and multiply it two||8 12 16 0 0 4 8 2|
|Sum each digit of the result||8+1+2+1+6+0+0+4+8+2 = 32|
|Take every even-placed digit except the check digit||5 7 9 0 1 3 5|
|... and add them together||5+7+9+0+1+3+5 = 30|
|Add the two sums together||32 + 30 = 62|
|Take the 1s digit of the result and subtract it from 10||10 - 2 = 8|
Why are the odd-placed digits treated differently? The most common mistake when entering a card number is to swap two consecutive digits. By treating the odd digits differently, this ensures that the check digit will be different if two consecutive numbers are swapped, and thus, the error will be caught.
To guard against people generating numbers, there are several systems in place to ensure you are using an account number you are authorized to use. For example, the customer account number may contain random digits to ensure only a small percentage of randomly-generated card numbers are real. Even if you have a valid card number, you must get the expiration date right, or else the card will be declined. If you use your credit card online, often your billing address is verified, and sometimes you are asked for your CVV2/CVC2/CID number, located on the signature panel (or above the last four digits of an AmEx card), which is essentially random and cannot be guessed. If you use your card at a retail establishment, there are other safeguards. For example, for Visa and Mastercard cards, the first four digits of your card number are printed right above the first four embossed digits. Credit card terminals often ask the operator to enter the last four digits of the card number to ensure the card number encoded on the magnetic stripe matches the card number embossed. Finally, the magnetic stripe contains additional validation information that must be sent as-is to the card processor to prevent people from rewriting the magnetic stripe with a fake account number.
|Friday, November 7th, 2003|
Spot the backdoor
The following code was added to Linux's wait4()
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
A casual glance at this code makes it look like a harmless error check designed to make the system more robust, but it's not.This story
at The Register has more info.
|Friday, October 31st, 2003|
Network Memory Paging
My old laptop slowed to a crawl. I was sitting here, frustrated, listening to the hard drive thrash around, trying to page memory in and out. I was thinking, "there's gotta be a better way to do virtual memory." Then, it hit me: page memory over the network. Simply put, instead of paging memory out to the local hard drive, page it out to the RAM in another system on the network.
Gigabit Ethernet (in theory) is at least as fast as most IDE interfaces, and paging out to another system's RAM virtually eliminates seek times, so it seems like using a network paging system would dramatically improve performance. A quick look through Google shows that this idea has been toyed with before, but I haven't found a solid implementation on either Linux or Windows.
A person on IRC asked why you wouldn't just move memory from one system to another. In several cases, it's impractical to do so. For example, my old system has a LOT of RAM, but I rarely use it. My laptop, while it also has a lot of RAM, could always use more. However, it can't accept standard DIMMs. You also run into cases where you can't mix memory types/speeds. Finally, the other system may occasionally need the RAM. If the RAM on the remote system is not needed, it can be used to page out memory from another system. If it is, memory can be paged out to the disk as usual.
Does anyone have any experience with network paging? Do you think it's a good idea or not?
|Tuesday, October 7th, 2003|
|Saturday, September 13th, 2003|
Credit/Debit Card Security and Why It BLOWS
Today, one of my friends lost her debit card. Presumably, it was stolen, since it wasn't where she left it. This is causing a lot of grief for her, because she has to cancel it immediately, wait for a new one, etc.
It didn't have to be that way, though.
The weakass security on credit/debit cards makes it easy for someone who steals it to use it without authorization. If security was improved, there'd be no incentive to steal it, and she'd most likely still have her card.
Credit cards have the worst security, since the only authentication mechanisms are signatures (relatively easy to forge) and AVS (Address Verification System, which can also easily be defeated by looking up someone's information online). What's worse is that some merchants don't even bother to use these mechanisms to authenticate the owner. Countless times I've seen merchants swipe credit cards and handing them back without even checking the signature. Some web sites don't even use AVS. Anyone with your credit card number, expiration date, and OCCASIONALLY the CVV2/CVC2 number (the last three digits on the signature panel) can do anything with your card. Even if you carefully guard your card, these numbers can be easily obtained by dishonest employees at merchants you visit, or your number can be compromised by a database hack. Once you number is out in the wild, it'll never again be secure.
Debit cards are marginally better because they require a PIN to use. However, many debit cards will also work as a credit card, and MANY people use insanely easy PINs. If you visit a dishonest merchant, they can intercept your magnetic stripe information and PIN and use your card in any fashion they like. There are cryptographic safeguards in PIN pads that make this almost impossible under most circumstances, but I could easily see someone hacking the firmware in these PIN pads to send the unencrypted PIN to the host, or making their own unencrypted PIN pad. When you're entering your PIN, you have no idea whether that PIN is secure or not.
We have the technology to make these cards almost impossible to use without authorization. A fully secure system might work as follows: When you make your purchase, you insert your smart credit card into a reader. You are asked for a fingerprint scan. The fingerprint is digitized and sent to the chip on your smart credit card. The credit card validates your fingerprint data, encrypts your account information with the date, time, amount, and unique transaction ID, signs it with your private key, and sends it to the bank. Now, only the bank has your account data, and it can verify that it came from your card by checking your digital signature. Using home readers, this would allow you to make secure payments over the Internet. Since it contains a unique transaction ID, along with the date and time, dishonest merchants can't recharge your card without your authorization again. Anyone who steals your card would be unable to use it because his/her fingerprint wouldn't match. It'd cost tens of thousands of dollars to disect the chip and possibly figure out your information, out of reach to nearly all criminals.
A somewhat similar system
is being tried in the UK, only using PINs instead of fingerprints. While this is more secure than a traditional credit card, many people will use insecure PINs. Additionally, your account number is still on the card, so anyone can still steal your number and use it for "Card Not Present" transactions. I haven't looked into the UK system much, so there may be other vulnerabilities.
The only reason I can think of as to why a more secure system isn't implemented is that it would cost more. I'd think that the savings in fraud would make it worth it, though.
|Friday, January 31st, 2003|
Teh best e-commerce site EVAR!
This evening, my mom called me and asked about an error message appearing on my sister's computer, saying that it had bank account numbers, credit card numbers, etc. on it, and that anyone could access that data without taking immediate action by visiting http://yoursecurity.saidme.com/
. These idiots used the Windows NT Messenger Service (NOT the AIM-like Windows Messenger) to send an error message that looked like it came from the system. The site didn't seem professionally made. Curiously, I clicked on the BUY NOW link and was brought to PayPal. Not the most professional-looking layout. I first noticed that the payment information was sent to firstname.lastname@example.org, so I checked out http://www.epcprivacy.com/
. It looked even more unprofessional. I further examined the PayPal URL and discovered this little gem:
HMM. I wonder what happens if I go to http://www.epcprivacy.com/success.html
? Oh look! It congratulates me for purchasing the software and gives me a download link! At no time does it verify that I actually bought it! This is the worst e-commerce system I've ever witnessed to date.
I never downloaded the software since I didn't trust it from not having spyware/adware and/or fucking up my system beyond recognition.
Out of curiousity I did a whois on the domain. Lookie at what I found:
Phillips, Justin email@example.com
138 Dewey St
Garfield, NJ 07026
Look! An AOLer trying to do an e-commerce site! I plan on talking to him on AIM later. Mwa ha ha.
|Sunday, January 26th, 2003|
I've been browsing through PIN encryption documents and am amazed at all of the security requirements, such as using a unique encryption key per transaction, using 3DES, etc. This seems like overkill considering that most people use something like 9999
(yes, I've seen someone use that) as their PIN.
|Sunday, January 12th, 2003|
I might be smited for this but...
Why has there been no effort to get NTFS to work well in Linux? NTFS's permissions system is a lot more advanced than traditional unix permissions, so I think it'd be easy to store unix permissions in NTFS and even have that translate to the proper permissions in Windows. It's probably not ideal for servers or hardcore Linux users, but it's perfect for people who dual-boot into Linux occasionally.
If there is a reliable way to get NTFS to work in Linux with permissions intact, I'd like to know about it.
|Thursday, January 9th, 2003|