I read a post on the Technologizer blog. It was entitled “A Real Review of RealDVD” by Harry McCracken. Real Networks has released a new application which copies DVD contents to your computer hard drive. There are already other programs out there that do this. However the competitors actually decrypt the DVD, which might be an illegal activity. The RealDVD product from Real Networks takes another approach.

RealDVD is a DVD copying program. It is, in fact, a DVD ripper. However it does not violate the DCMA rules. It achieves this by not removing the copy protection. In fact, RealDVD adds extra copy protection to the output it stores on your hard disk. In essence, you cannot share copies of the rip with anybody else.

This program costs $30. McCracken says that it is easy to use. The ripping does not degrade the quality of the DVD. The amount of DVDs you can rip is only limited by the amount of disk space you have. You can also rip a DVD to a USB drive. The ripped movie is bound to the device you rip the DVD to. So you cannot just make a copy somewhere else and hope that it will work. This is the key benefit of RealDVD.

Personally I watch all my DVDs on a DVD player. So I don’t have the need to store a copy on my computer. I am also not worried about backing up the DVD. If something happens to my DVD copy, I will just buy another one. The interesting part of the RealDVD program is that Real Networks found a way to copy the DVD, encryption and all. You can then play the DVD back, but it is somehow tied to where you ripped the DVD to. I wonder how many takers Real Networks will get for this product. It is not excessively expensive. I just don’t know whether they can stand out in a crowded market or not.

Comcast Limits Confirmed

Previously I had read an article about Comcast possibly limiting the monthly download bandwidth for customers. It seems this article was right. I am a Comcast high speed Internet customer. Yesterday I got an e-mail from Comcast. They are going to be modifying their acceptable use policy (AUP). Starting in October, monthly bandwidth usage over 250GB will be considered excessive.

The e-mail had all kinds of justifications as to why this was a fair policy. Their spin was that this would protect customers from negative impact. Comcast stated that users with ultra high bandwidth consumption caused performance problems for other users. Then Comcast went on to quantify how this limit would not hurt the average user.

Less than 1% of their customers use over 250GB of bandwidth. Normal consumption is between 2 and 3 GB per month. Therefore the new limit is 100 times the average usage. The 250GB limit is equivalent to 50 million e-mails, over 62 thousand songs, or 125 high definition movies. Comcast was also careful to point out that online gamers do not come close to consuming 250GB of bandwidth either.

Hey. I am all about protecting my ability to have good Internet performance. However it seems like Comcast is trying to move to a pay per usage model at the high end, while still charging users at the low end the same normal rates. That does not sound right. I would be unhappy if I was one of those high bandwidth consumers. Luckily I am not. However I would still prefer Comcast to truly go to a per usage model and save me some money. Of course they are not going to do this, as it would eat into their profits. This still seems like a sleight of hand.

Sarah Palin Hacked

Have you heard the news about Vice Presidential candidate Sarah Palin getting her yahoo mail account hacked? I read a blog entry by Michelle Malkin entitled “The Story Behind the Palin E-mail Hacking” to get the details. It put some of the details in perspective.

The main clarification was that the perpetrator who did the hacking was not part of some elite hacker group. There is a site called 4chan that has a lot of discussion boards. People post on this site as Anonymous normally. You don’t need to sign in with your credentials. One person hacked Palin’s Yahoo account early Tuesday morning. The account and password were then shared on one of the 4chan discussion boards. The plan was for other readers to go crazy and use the e-mail.

In the end, this discussion board thread was deleted by the moderators. Some users had taken screen shots of what they saw on 4chan. It was these screen shots that were shared with the mass media. Later a poster that goes by the handle rubico claimed to be the original person who hacked the account and shared the password on the 4chan board. Rubico’s e-mail address is

Here is a synopsis of what rubico said he did. He used Wikipedia to find information about Palin. He then used Yahoo’s password recovery features to trick Yahoo into providing him with Palin’s password. Rubico then proceeded to read each of Palin’s e-mails. However he did not find any incriminating evidence. There were just personal things like family pictures in there. He decided to post the password to 4chan as a prank. He was unhappy that somebody who disagreed with he work went in and changed the password of Palin account.

There were a number of interesting issues surrounding Palin’s account being compromised. One is that Palin uses a free e-mail service like Yahoo. The other is that it is easy to take advantage of the Yahoo password recovery system. Finally, there was a lot of misinformation about the story in the mass media. That is typical I guess.

Comcast Limits

Some time ago, I read an article that stated Comcast would cap downloads at 250 Gigabytes a month. You would get a call from Comcast if you exceeded that amount. They are planning to add an extra fee if you go over this amount. The fee will be something like an extra $10 for every 10G you go over 250G per month.

Comcast’s spin on this new charge is that it will help ensure that everybody gets good performance. That is typical management speak. It means that they can give everyone good performance, but somebody other than Comcast has to pay. It almost seems like we are going back to a per-use charge. However they are leaving out the part where you get to pay less if you use less bandwidth. Companies are tricky like that to maximize their profit.

To tell you the truth, I have no clue how many Gigabytes I download on a monthly basis. Comcast says the medium amount for their users is less than 3G per month. I have not received any calls from Comcast recently. Maybe that means all is well. However I would still like to pay a lesser monthly charge if I only download 1G a month, and somebody else downloads 200G in the same time frame. You either charge us a flat fee, or you give me a discount. You can’t have it both ways.

I know I do watch videos on the Internet all the time. However these are usually short videos from YouTube. Someone calculated that 250G a month download is equivalent to downloading 4 high definition movies a day. Yeah I fall way under that limit. Comcast better give me a better Internet plan if they are going to charge the heavy users some more money.

This is post is not directed solely to Comcast. Other cable companies like Cox and Time Warner cap the monthly download at lesser rates. They too should either charge all users a flat fee, or give rebates to those of us who do not use up a lot of bandwidth. What do I have to do to be given a fair deal in broadband access? Call the FCC?

SSH Passwords

I read the abstract for an Association of Computing Machinery (ACM) paper entitled “Timing Analysis of Keystroke and Timing Attacks on SSH”. The paper was written by Dawn Xiaodong Song and others. Unfortunately you have to be a member of ACM to read the body of the paper. I am looking into getting my company to pay for my membership. However I thought it would be fun to go over the abstract and think about what these researchers did to break SSH.

The key finding of this paper is that you can determine the approximate size of the original data sent over SSH. This is furthered by the fact that SSH sends every keystroke immediately to the server. Thus you can find out thing like how fast somebody is typing. You can also employ some statistics to figure out how long a person’s password is. The authors are not claiming they can decode the password. But given the length, they can severely cut down the number of guesses a brute force attack needs to do.

In case you do not already know, SSH stands for secure shell. It provides a mechanism to exchange data over a secure channel. SSH is used to remotely log into UNIX accounts. It replaces older telnet technology, which passed passwords as plain text over the network. SSH instead uses public key cryptography. Initially, SSH was vulnerable to man in the middle attacks. That alone is worth a separate discussion. However SSH was updated a long time ago to plug this gap. SSH uses both encryption and compression. So you would think that you could not easily determine the exact length of your password. However you can probably determine a good guess using a little statistics like the abstract says.

I will share some more information if I get a subscription to the ACM. Until then I will be trying to think how the researchers took apart SSH.

Chrome First Impressions

I had some trouble accessing the CarMax web site this weekend. I thought maybe there was something wrong with my Internet Explorer browser. This was the perfect opportunity to install and try out the Google Chrome browser. During install, Chrome displayed an options screen. However the screen just froze. Nothing seemed to be happened. All I could do was move the screen. Underneath the window, I found another window that said the Chrome install was complete. That was very strange. This cannot be the correct behavior.

Nevertheless, it looked like Chrome installed on my computer. I chose to import my Internet Explorer bookmarks. Unfortunately Chrome reordered my bookmarks in alphabetical order. I did not like this. So I tried to manually reorder the bookmarks. Chrome did not want to let me do that. I guess I had to live with the order that Chrome chose.

The good news is that Gmail feels a little faster in the Chrome browser. Netflix also feels a little faster. But I have lost the ability to drag and drop movies in my Netflix queue. This must be some web features that Chrome does not support yet. Playing videos seemed to work at about the same speed in Chrome as in Internet Explorer.

I understand that Chrome runs different tabs in different Windows processes to assist with crash protection. That sounds like a good idea on the surface. But I went to one web site on a single tab. I spied on Chrome user Windows task manager. I found three separate Chrome executables running. That did not feel right. I also found that a GoogleUpdate process running even when I have not launched the Chrome browser.

The main goal I had with Chrome was to see if it could help me view the CarMax web site. It was not the cure for this problem. That web site must have been physically down this weekend. So Chrome did not work much better than Internet Explorer for me at all. In fact, I was annoyed with some of the Chrome executables running at what seemed strange times and multiple instances. I don’t want my computer being slowed down by secret Chrome processes. Therefore I uninstalled Chrome for now. It is still in Beta mode. Maybe I will try it again later.

Master Boot Record

I read an interesting article entitled “Writing Boot Sector Code” by Susam Pal. He has a whole set of articles that describe what happens when a computer boots up. The article I read concentrated on how to write boot sector software which automatically gets executed when a PC boots up. This can allow you to take over a computer from the start.

Susam said that PCs start executing code at location 0xFFFF0 at start up. This is a memory location in the BIOS ROM. The boot sector is the first sector of data storage. The first byte of this sector is actually executable code. Deeper into the sector is information on the disk itself, such as the partition information. Susam recommended you first verify your code before putting it into the boot sector. You can do this safely by running an emulator such as DOSEMU or DOSBox.

I found this topic so interesting that I did some more research on the boot sector and how a PC starts up. I consulted sources such as Wikipedia,, Microsoft, PC Guide, and Ars Technica. Here I will share some of my findings. This is a ripe topic for much further research. The great thing is that you only need a PC to start tinkering with it.

The boot sector is for booting programs. Usually you will boot an operating system. The BIOS first selects a device (such as a hard disk) for booting. It then copies the first sector on the disk to memory location 0x7C00. Viruses sometimes replace this code with malware for evil purposes.

All disks are divided into sectors. The very first one is the boot sector. The first section contains the Master Boot Record (MBR). The MBR has information about the partitions on the disk. The MBR has code which loads file “io.sys” for MS DOS. Windows XP has a built in recovery console. One utility in the recovery console is Fixboot, which can correct partition problems on the boot sector.

Know that we are talking about machines with the 80x86 architecture here. PCs first conduct a power on self test (POST). Then they figure out which device to boot from. Sector one is loaded from disk to memory. The PC then begins executing instructions at that location. Normally the first 3 bytes of the boot sector do a jump to another memory location. That is because the next 8 bytes are data and not code in the boot sector.

The Master Boot Record used to be a target of malicious code in the old days. Antivirus software now detects and prevents this. Windows Vista has built-in safeguards to prevent malware from messing with the MBR. However some companies that track viruses say that MBR attacks are on the rise.

More Chrome

Previously I have written about my initial thoughts on Google Chrome. Today I was riding the train to visit some customers. To pass the time I read Information Week magazine. This week's issue had a couple articles about the Chrome browser.

First and foremost, the magazine acknowledged that Chrome is still in Beta mode. These days web applications are getting very common. To keep up with changes needed to support web apps, Google decided to roll a browser of its own. Mozilla just could not keep up given its lack of financial backing.

Underneath the hood, Chrome uses the WebKit rendering system. This is significant since Android also uses WebKit. Android is Google's phone browser.Co-found Sergey Brin of Google was quoted as saying that while Chrome may not be an operating system, it is a fast engine to run web applications.

Initial users of the browser like how it maximizes screen real estate by eliminating menu and buttons at the top of the window. I personally have not downloaded and installed Chrome. To tell the truth, I do not like how Chrome will automatically update and get downloaded frequently. People in large companies might also not enjoy the Google license that states they are free to advertise in the browser. Such is the trade off when dealing with a free product.

FreeHackers Union

Every once in a while I read Zed Shaw’s blog. This guy comes off as a bad ass. Recently he lashed out against the suits that have, according to Zed, destroyed the software business. So he decided to form the FreeHackers Union (FU). It was initially supposed to be a bunch of real developers in New York City sharing the new projects they are working on. However this movement seems to have caught on. At least that is what Zed is saying in his blogs. I find this interesting as Zed reports that there is a chapter of the FU forming up in my local area. It might be something worthwhile to check out.

The FU rules sound a little like Fight Club. You have to earn the right to be a member of FU. The way you do that is you attend your first meeting, where you will be forced to “perform” for 5 minutes. During this time you must share what new projects you are working on. If you get gonged during those 5 minutes, you cannot join the club. You can try again during the next meeting.

This FU revolution is a backlash to the business types that have infiltrated the hacker scene and are bringing the whole thing down. The 3 themes of the FU are art, wires, and code. Personally the code appeals to me. I imagine most of the other members are also coders. Groups are apparently forming all over the world. Let’s hope this is not some sort of hoax. Judging from Zed’s character, I would think it is not.

You never know. This could actually be the start of something big. The FU plans to video tape each of its gatherings. Maybe some day I will tell the newbies that I was there when they formed the FU. Who knows?

Google Chrome

Everybody seems to be talking about Chrome. It is a new browser from Google. Chrome is being hyped as a faster, safer, and easier web browser. Google is releasing it under the BSD license. Part of the speed increase is due to a new JavaScript virtual machine named V8. The most prominent user interface change is that the tabs are at the very top of the window.

Chrome is in Beta right now. Under the hood, separate tabs are in sandboxes. Other tabs should continue to function if one of them crashes. There is also a window which does not log any activity to your PC. Google released the Windows version of Chrome this week. Versions for the Max and Linux are coming soon. Google stated that they used parts of Mozilla Firefox and Apple WebKit to develop Chrome.

Google man Matt Cutts came out with a blog post explaining what types of information the Chrome application sends to Google. Nothing is sent to Google if you surf around by clicking links. However Chrome will contact Google search if you type something in the address bar. By default the crash reports are not sent to Google. However for some 404 error pages, Chrome will contact Google to recommend other pages to you. Chrome does phone home to check for an update every 25 hours, and it downloads a list of dangerous URLs from Google every 30 minutes. It also downloads a dictionary when you initially choose your language in Chrome.
I read on Robert Synnett’s web site that he found Chrome a blazing twice as fast as Firefox in general. It also goes real fast when accessing Google JavaScript. Go figure. Robert also mentions that the JavaScript debug tools that come with Chrome are very strong. I confess that I have not installed and used Chrome yet. But with all the buzz I cannot help but be curious and will most likely take it for a test drive soon. I do use a lot of sites from Google which are heavy with JavaScript. I will keep you posted.

Cuil Twiceler

The TechCrunch blog has asked “Is Cuil Killing Web Sites?” This was a post by Don Reisinger. Cuil has an indexing bot named Twiceler. Apparently some web site owners are complaining that Twiceler brings their sites down. It is almost like a denial of service attack. Some people are saying that Twiceler just guesses at random URLs and checks a web server if they exist.

Cuil has said that Twiceler is in a developmental state. However it does obey the “robots.txt” file. And Cuil has also stated that there are Twiceler imposters out there doing damage. Some comments on the blog post include one that likens this to the early days of Google. Another poster asked where is the proof that Twiceler is actually doing all this damage.

Personally I thought that perhaps Twiceler was eating up some extra bandwidth on web servers. But the theory about it guessing URLs at random has to be bunk. Come on. Do you think anybody with some brains is going to write an indexer that guesses URLs randomly? No. You crawl the web using links from other pages right? You could spend all days guessing at random URLs on just one web server and get nowhere. Twiceler has to search the whole web.

There is a lot of FUD out there about both Twiceler and Cuil. It is best to get your facts straight. Hey I have posted about Cuil. And I did not have good things to say. However everything I wrote was backed up by hard facts. I did not go out and create some weird theories about the evil actions behind Cuil. Maybe Microsoft and Google got together and decided to spread some rumors about Cuil to shut it down? There. Do you see how silly it is to promote FUD about a company, new or otherwise?

To the people on the Cuil Twiceler team, good luck to you. You are going to need it. And you might want to spend some money on public relations damage control. Your name is quickly becoming mud in the blogosphere.

Instant Message Bot

I read a short blog post by Amit Aggarwal entitled “How to Write Your Own IM Bot in Less Than 5 Minutes”. Now that’s a catchy title. It seemed like it would not take too long to follow Amit’s advice. Essentially he recommended the use of the IMified service. You can write your bot in any language. And getting a simple one started takes little time. I was interested to say the least.

IMified was launched around a year and a half ago. I think it might be only two dudes in the company. Their service is free to use. You create an account with them. Then you create a web page and host it on your own server. You tell IMified who your bot is going to IM. Then the service will do the instant messaging and communicate with your web page. You web page just responds to IMified, which shall do the instant messaging for you.
At first I thought maybe this was talking about those smart bots you see when you go into chat room. You know. Those are the ones that are usually spamming the people in the room. However I realized I was wrong. Amit is talking about sending messages from a bot over an instant messenger such as Yahoo Messenger. That is still quite a feat. However it was not as exciting as the chat room bot idea.

What it boils down to is that IMified has figured out the instant messaging protocol for all the popular instant messaging systems. It then provides an API that you can program to control IM message bots. If you were trying to do an IM message bot, that seems like a lot of help. You don’t have to decode the instant messaging protocol yourself. Somebody else has done the research for you. I imagine IMified will keep up with changes in the instant messengers as they get upgraded.

I am sure IMified is a business. They do not charge you for their bot service. However I always wonder how companies such as this make money. Usually there is some catch. I got the feeling from their web site that they do more than just IM message bot control. Perhaps they make their money elsewhere. I hope they come out with an easy interface to chat rooms for bot purposes. Then I will check them out for sure. In the mean time I am going to brush up on some web programming skills.