Viruses and SPAM vs. Keys and Signatures

Anyone else getting e-mails containing the Win32.Netsky.P@mm virus? I thought it was interesting that it stamps the e-mail as being virus free with the name of, and a link to, a valid anti-virus company. I guess that just goes to show how useless those annoying little tag-lines are.

Symantec has some good details about it. Down at the bottom of their page you can see the spoofed tag-lines.

If you use an unpatched Microsoft e-mail program then you will spread the virus just by reading it.

If anyone actually bothered to read all of this I will propose a solution. Instead of just appending a tag line claiming it is Virus free, they need to actually attach a digital signature to the e-mail. The anti-virus companies would be key authorities, and issue keys to everyone who has their software. Then when you send an e-mail it is automatically signed with this key. Then when that e-mail is received there is a chain of authority allowing the receiving virus scanner (or e-mail client) to verify it was actually scanned by a legitimate sender. If a key gets compromised then the authority (the av company that issued it) would reject the key.

To prevent spoofed digital signature attachments from compromised systems, the user would have to enter their pass phrase to access their digital signature, just like strong crypto products do today. That, in combination with the actual outgoing e-mail scan would be a good combination. Many of the good virus scanners today will actually warn you if your machine is acting suspect, like sending similar e-mails too close together.

An advantage to wide spread adoption mail of signatures is it could also stop the spread of SPAM. Simply mark any unsigned e-mail as questionable. ISP's could also be key authorities for everyone who is authorized to use their SMTP servers. Then the SMTP server would simply reject any e-mail that did not have a proper digital signature from one of their subscribers. If you received SPAM with a valid signature then you can simply report them for spamming (to their ISP and your ISP, maybe other blacklist maintainers), and blacklist their key. If an individual gets too many complaints against them, then it is their ISP's responsibility to reject their key. If an ISP gets too many complaints against them then the other ISP's can black list their key chain, thus rejecting all their subscriber's keys.

An advantage of this kind of solution is that it could be rolled out slowly. ISP's, mail clients, and AV software that supported the signatures could white list eachother. Any unsigned e-mails could be treated with caution. This would provide motivation to support this feature as it would move everyone onto white lists. Since end users could vote with their money by buying AV Software and e-mail clients that supported this feature early adoption would motivate ISP's to start supporting it as well as other software vendors.

GUI Gallery

Check out guidebook, a website dedicated to preserving and showcasing Graphical User Interfaces. You can view the entries by component (Splash screens) or platform (Microsoft Windows 1.01). It is interesting to see the evolution of some of the graphics, for example the cronological evolution of icons.

Noticably absent is any Linux desktops. This is probably due to the lack of uniformity in Linux desktops. But you would think they could feature the two most popular ones, Gnome or KDE. Maybe they will be added later, or they are waiting for the two to be combined by Novell.

12 Reasons for Growth of Open Source

Netscape Co-Founder Marc Andreessen's 12 Reasons for Growth of Open Source [LinuxWorld]

1. "The Internet is powered by open source."
2. "The Internet is the carrier for open source."
3. "The Internet is also the platform through which open source is developed."
4. "It's simply going to be more secure than proprietary software."
5. "Open source benefits from anti-American sentiments."
6. "Incentives around open source include the respect of one's peers."
7. "Open source means standing on the shoulders of giants."
8. "Servers have always been expensive and proprietary, but Linux runs on Intel."
9. "Embedded devices are making greater use of open source."
10. "There are an increasing number of companies developing software that aren't software companies."
11. "Companies are increasingly supporting Linux."
12. "It's free."

It is interesting that Marc Andreessen would be an advocate of Open Source. Remember Mosaic, Netscape Browser and Server were all closed source commercial applications. Only the beta versions of the browser were free downloads. It wasn't until after Microsoft made Internet Explorer a free download did Netscape respond by making Netscape free. Granted Andreesen was still with Netscape when they released their browser open source. Maybe he learned his lesson. Of course the Netscape server is still closed source, so it really doesn't fit with his first point.

Anyone care to publish a rebuttal?

BorCon 2004 C4P

Well, I submitted a total of 16 abstracts for the 2004 BorCon Call for papers. That is about twice as many as I recall submitting for last year. I had more in the hopper that I didn't have time to finish to submit, although most that didn't get submitted I was having second thoughts about submitting. There were a few that I started out really excited about that I thought better of as well. Not sure if it was a case of cold feet or better judgment.

I'll keep you posted which abstracts get accepted, and in what form. My plan is to turn at least some of the other abstracts that do not get accepted into articles for other venues (BDN, Blog posts, group presentations, magazine articles, etc.).

My hermit like behavior as of late would be explained by my rush to get these done.

Download random numbers

Thanks to the University of Geneva and the company id Quantique anyone can download true random numbers. The numbers are generated on demand using a quantum random number generator. They are testing a client/server appliation to download the numbers directly. This would be an excellent application for a web service.

It would be nice to have a reliable source of random numbers. Although I would think if they were to be used for a cryptographic application you would need to have the transmission of them encrypted. Although if you used those random numbers in combination with a local psudo-random number generator and an entropy gathering system you would probably be in really good shape.

Look who is at Falafelsoft

Falafelsoft is a software consulting company. The President and CEO is Alain Tadros. I was impressed that Steve Teixeira came on board from Zone Labs. He was previously an R & D Engineer at Borland on Delphi and C++ Builder. He is also an author and speaker.

If you look further through their ranks you will see the following notable individuals:

• Charlie Calvert - Author and former Borlander.
• Jim Cooper - Behind PocketStudio and TurboSync for Palm development.
• Brian Long - Author, columnist, speaker and consultant.
• Julian Bucknall - Formally of Turbo Power and Microsoft, also a noted author and columnist.

Then if you head over to Component Science you will find a lot of other other former Turbo Power developers. At BorCon 2003 they announced that Ray Konopka was the new president of Component Science, but he is noticeably missing from their management team now. I must have missed that.

In any case, I am impressed with the big names and growth at Falafelsoft. You may also want to check out their own Blog. Which Julian is now contributing too. You may recall that I mentioned his blog previously. I wonder if he will continue to contribute to that one.

Excuse Me?!

Have you ever noticed how flexible the phrase "Excuse me" is? All based on body language, voice inflection, and current context it can have more meanings then I could list. Broadly, the more common usage it is rather submissive as you beg someone to forgive you for your imperfections. While in another almost as common usage you let someone know that their imperfections have offended you and they should correct the situation. And both of these circumstances have a wide range of variations.

For example, lets say you are at a party (I know this might be a stretch for some, but stay with me). You are in a crowded room with lots of talking. You see someone you want to talk to on the other side of the room and you start moving towards them. Someone is in your way. You say "Excuse me" to politely let them know that you wish to humbly ask them to move as you so rudely want to reposition yourself through their personal space. The don't move. So you say "Excuse me" again to let them know that you find their lack of moving rude. They still don't move. This time you say "Excuse me" to indicate that you find them to be a Neanderthal not worthy of your patience. Now they respond "Excuse me?" to indicate they didn't understand you. So you point in the direction you are trying to move and they kindly step aside. You continue on your journey, but accidentally step on their toe, to which they protest "Excuse me!" and you apologize "Excuse me!"

These are dangerous words. You may be trying to ask someone to move nicely, but you have a bit of a frog in your throat making your voice a little gruff so they get the impression you are demanding they move. And then when you clear your throat and repeat it you only make matters worse.

I would imagine that with some hand pointing, voice inflection and other body language two people could have a complete unrehearsed conversation only uttering these two words.

One time I was attending a public forum where individuals would take turns standing up and expressing their opinion. There was no podium, people just stood up where they were and took turns. Usually there was some sort of informal recognition before people spoke, but people were taking turns, so this wasn't really necessary. At one point this woman just started speaking, and then this man interrupted her. They both started speaking close to the same time, so his mistake was understandable to the rest of the audience, but the woman was obviously speaking first. They spoke over each other for a second, and then the man turned to the woman and said "Excuse me." At first we thought he was apologizing for his obvious oversight in interrupting her. Then he continued to talk. At that point we realized that he was not apologizing, but was instead letting her know that she should sit down and let him talk. This didn't go over very well with the audience, but he didn't care.

This is where lack of social intelligence comes in. People who don't pick up on these subtle cues in body language and voice inflection tend to appear really rude, but in fact they just don't get it. Although some people really are rude. It can be hard to tell.

Moral: And that, my friends, is one of the many reasons it is so tough to teach a computer to understand English, especially when spoken. I am not too familiar with other languages, but I imagine they are similar, but not as bad.

How not to sell Linux products

The article bellow covers more importantly how to sell Linux products, or any software products for that matter. It uses some poorly sold products to prove their points.

While the article is specifically about Linux, the principles should apply to all products. I'll provide a generic version of the points with my own embellishments.

• Make sure your product actually does what the user expects it to do.
  This is actually more then was originally suggested in the article. It just said to make sure your product works as promised, but that isn't always what the user expects. You need to make sure that your users expectations are inline with what you are claiming, and that your product delivers.
• Make sure your product is enough better and different from the alternatives that it is worth the difference in price and consideration.
  There is a lot of software out there. It is always amazing to me how many different takes there are on the same idea. It is important that your product is better then the alternatives (free or otherwise). If your product costs more, then the difference should more then justify the price, and it had better be obvious to the customer that it does. If not then they will line all the products up and pick the cheapest. It does no good to include killer features and support if your customers do not know about them.
• Make your product so easy to use it doesn't need any instructions, but provide them anyway.
  Provide a printed manual, a quick reference guide, a quick start guide, online help and a few tutorials. The tutorials are important, but something that most people leave off. They show the user what the product can do, and how to do it. It would be great if your tutorials were available form the web for perspective customers to see.
• Make it easy to buy your product.
  Perspective customers should be able to find your product however they might be looking for it. Find out what the common channels are and advertise there. Also, be upfront with your price. If it is a consumer product then your customers don't want to talk to a sales rep to find out how much it is. If you won't tell them, then they will assume the worst. If you introduce a new product make sure your sales people know about it before your customers.

Well that is my take on selling software. Keep in mind that I am an outsider to software sales, but it seems like common sense to me.

Feel free to read the original full article NewsForge | How not to sell Linux products for a more informed opinion.

Code Complete reading

Not much feedback about the Code Complete reading, so lets move ahead reading the section on Control.

For something different I thought maybe one person could take each chapter and they would present in depth commentary and coordinate the discussion for that chapter. Let me know which chapter you want to cover. I know the chapter on GoTo's is going to go quick, so if you are interested let me know first.

Code Complete

CONTROL

13 Organizing Straight-Line Code

• Ordering Statements that Must be in a Specific Order.
• Ordering Statements When Their Order Doesn't Matter.
• Organizing Straight-Line Code Checklist.

14 Using Conditionals

• if Statements.
• case Statements.
• Checklist for Conditionals.

15 Controlling Loops

• Selecting the Kind of Loop.
• Controlling the Loop.
• Creating Loops the Easy Way-From The Inside Out.
• Correspondence Between Loops and Arrays.
• Loop Checklist.

16 Unusual Control Structures

• Using gotos.
• return.
• Recursion.
• Checklist for Unusual Control Structures.

17 General Control Issues

• Boolean Expressions.
• Compound Statements (Blocks).
• Null Statements.
• Taming the Hazard of Deep Nesting.
• Tapping into the Power of Structured Programming.
• Emulating Structured Constructs with gotos.
• Control Structures and Complexity.
• Checklist of Control Structure Issues.

Happy reading, and see everyone at the meeting.

Open source insurance

In what might be a step towards developers needing to purchase malpractice insurance:

Startup to sell open source insurance

In a quote from Bruce Perens, an open source advocate, he said "Software risk management is something that all software needs, and is something that's not provided adequately for proprietary software." So this is more then just insurance that you won't be involved in a frivolous law suite from SCO.

Times certainly are changing for our industry.