April 28, 2011

More on the Mac Mini

Ok, Flash is a dog on this mini - it probably has a lot to do with it being a memory hog for the app I'm running (Cityville, yo!) - and the fact that the mini I got came with 2GB of memory - so off to order more memory - $78 later and I've got 8GB of RAM on order. It looks like Apple made the memory super easy to upgrade in the latest mini - just rotate and pop off the underside of the mini and slot in the RAM - older models look like they were designed to be NOT upgraded.

Also installed another app from the App Store - Trillian - logged in and all my IM accounts came over without a hitch. XCode 4 finished installing last night and I walked through the HelloWorld example (although I was kind of tired so I'll do that again tonight as well as look at building my first iPad app with it).

God, this monitor is huge - I really had no concept of just how big a 24" screen is - but truly, sitting this close on my desk this screen fills up my field of vision quite readily, and then some.

April 27, 2011

The Mac Adventure - installing XCode

Ok, so the XCode installation package was on the DVD under Optional Installs - installing it now but I also expect to have to upgrade it on first run. Need to figure out how to download the iPad SDK to get started without having to pay for the iOS Developer package - will pay when I'm ready to test my first app on-device. Hrm, XCode started up - going to walk through the Tutorial for workflow now.

Also, changed the damn mouse speed - This monitor is fucking HUGE when you're scrolling across it. I have a 24" 1920x1080 HDMI monitor I got for $160 at Best Buy (another open box - never buy anything new if you don't have to - saved $30 and it has maybe 2 rub/scratches in the finish that I'll never see without looking for them)

XCode appears to be version 3.2 - not only out of date for the 3.x line - but version 4 is also out - downloading and installing from the App Store now - paid the $4.99 for the new version - but it's taking its good sweet time - I understand it to be several GB in size - so this could indeed take a while. Main complaint of people is that the whole thing has to be downloaded every update and that it's a slow download. That's something Apple needs to fix. There should be some patch download capability - and maybe even some P2P - I have a pretty fast connection and it's crawling.. At this rate, I won't be up and coding tonight unless I want to use the older version already installed.

The Mac adventure - continued

Using Safari just now - realized suddenly that there were no tabs button - how the hell do you open another tab? A quick Google search shows me just where to go - whatever did we do before the hive-mind that is the indexed Internet?

Just tried to pay my Gas bill at Washington Gas's online service center - a nobrainer for all browsers on the Windows framework - but apparently Mac users are left out in the cold - downloading Chrome for Mac now....

Day...saved. Paid my gas bill with my mac - was booting up the PC just in case I didn't get it working, but I'm going to shut it off again - try to stay committed.

Silly developer - just found the system settings staring me in the face on the bottom task bar right next to where Chrome stuck its' shortcut. The display settings were right there. Yes, it will take a while to get used to all of this. Next question, do I buy xCode for 4.99 or do I go ahead and bite the bullet for the $99 iOS developer package? Probably going to bite the bullet - amazing what tax return cash does to your financial sensibilities.

Stupid 'End' button on the keyboard doesn't..Mac issue or keyboard issue? As a keyboard junkie - that's going to be ANNOYING!

The adventures of a new Mac user - Part I

Today, I purchased on open-box Mac Mini. I have never owned a Mac. I am, however, an experienced computer user. I have used, at one time or another, many operating systems from the Timex Sinclair and the TRS-80's OS to the Windows and Linux(es) of today. So, I am unafraid of different experiences. And for one use case that has been itching in my mind, I need a Mac to do it right. That use case, my friends, is iPad development.

Now, it has been a long time since I have really slung code. My last real coding (aside from some VB automation inside Office) was C code development for a MUD (one of those text games that no one plays anymore, but a few sick and devoted people still play). [FoxMUD if you care to check it out.] Any-who - the development itch is one that never really goes away, and in my current role as Enterprise Architect, I don't get to do much coding. I'm more concerned with processes, products, alignments to reference models and trying to make sure I stay ahead of the customer in the daily fire drill. So, last night I watched "The Social Network" and the itch started up again - poor Mark Zuckerberg - so misunderstood. To hell with being rich - it's not the money - it's the idea of doing something REALLY FUCKING COOL...that's what I miss about programming - doing something no one's done before with a piece of code. Introducing new capabilities in software and having the users go 'oooh, ahhh' and 'Can you make it do this....too?'

Well, as those of you who know me, know....I have a new iPad 2. And it has some apps that I like, and others I think can be improved on. And I'm impulsive...and the mac mini was on sale because it was an open box...and here I am writing this first blog post. I'm going to write about my experience changing over to the Mac OS, and my foray(s) into xCode.

So, Day 1 - Realize that the open/close window buttons are on the left, not the right. Also, pushing the red 'X' doesn't actually QUIT the application - had to restart Safari to install Flash (GOTTA HAVE MY CITYVILLE FIX) and closing it/opening it didn't work after installing the plug-in.

Am using a two-button/scrolling mouse - my favorite one - don't judge - Apple purists will tell me that it's a crutch - but I still have to use two-button mice all day long, so this will ease the transition - besides - this way I don't have to buy a second mouse - I just reuse what I've got for my laptop.

After installing Safari, was suffering from seizures due to the monitor flicker - looked up in Help how to change Display Settings - STILL have no idea how to get to Displays preferences through any normal means - because I just opened it straight from the Help - have seen this in Windows Vista help too - and I thank whoever invented the Application shortcuts built into help files....changed monitor to 1080p instead of 1080i and flicker is GRATEFULLY gone.

Next step will be to fully register for Apple Developer and get xCode....will blog later.

It's Behind a Firewall

Between my neighbor's house and mine is a firewall - an actual firewall, not a computer thing, but a wall that is designed to prevent fire from spreading from his house to mine. The wall is there to protect both of us from the cross-risk of someone having their house on fire. This is obvious by the name 'firewall'. The computer domain has taken the name of this engineering construct and uses it to describe a virtual wall used to protect one network from another. Unfortunately, it has become, to the uninitiated, a term that describes some kind of absolute security.

Just because there is a firewall between my neighbor's house and mine, I am still not free to set my house afire. I would still be liable for any damages this might cause my neighbor. Similarly, I would be remiss to install substandard electrical wiring, or (according to my HOA) have a barbecue grill that uses charcoal, rather than gas. Yet, in the parlance of computer networking, it has become vogue for some parties to address security concerns of cross-domain risk with 'It's behind a firewall, so there's no risk'. Even when the sentence is uttered without those last four words, they're usually contextually assumed.

This is just wrong. Just because you have a firewall does not mean that the system you're installing behind the firewall presents no potential risk to the Enterprise. Each and every system comes with built in risks, and not only are firewalls INTENTIONALLY porous, but they're only good at preventing very wide-ranging risk. They're of virtually no use when attacks come in through the holes you've punched in it, or when you bring the risks in with you around the side (through the back-end or through a sneaker net).

One of these days, someone is going to say 'No worries, it's behind a firewall' and I am going to physically pull out a lighter and set them on fire (ok, not really, but I'll think about it).

April 20, 2011

DropBox, Security, Encryption, FIPS 140-1 and Illusions

Lately there has been some brouhaha on the Interwebs about the lack of proper security on the DropBox application. Users are rather incensed that they were told their data was securely encrypted, only to find out later that the encryption keys themselves were store in the databases at DropBox in a recoverable manner.

One of my pet peeves is when people ask me whether a product is FIPS 140-2 compliant. The question is so specific, and means one very specific thing is implemented correctly, the algorithm that implements the AES encryption and decryption activity itself. However, the question does not touch on whether or not the implementation of that encryption is done correctly. FIPS 140-2 compliance is something I would expect any graduate programmer to be able to accomplish in an implementation of AES.

What is missing is the secure implementation and design of the product that utilizes the AES algorithm, most notably the secure implementation of the key storage. For simplicities sake, imagine that AES is a specification of lock mechanism and encasement. When you lock up your secrets in this encasement, it is protected by one thing - the key. Where do you put the key to protect it? How do you share the key with others who may need it? How do you store it in a place that you can get to it from whatever device you're accessing it from, including the web and mobile devices.

Users of Dropbox made an assumption that the security of the encryption key was secured by the password that protected their Dropbox account. I, myself, made the assumption that Dropbox uses an algorithm such as PBKDF2 to create the key to protect my files at Dropbox. Of course, there was a point that I missed - if Dropbox were to do this, my files would be unrecoverable if I ever forgot my password. And obviously, some engineer at Dropbox had figured on this as well, because Dropbox can do password resets while my data can still be recovered. And thus, the slippery slope begins....security weaknesses introduced to account for the weakness of the weakest link.....the fallibility of the user. Dropbox implemented a solution whereby they store my key for me rather than make it unrecoverable. SHOCK!! DISMAY!! There's even more to the story, because other compromises were made as well in the interest of convenience, according to other accounts I've read, including generating unique security keys for each device that allowed them to authenticate to my dropbox without even my current password. This last piece, I don't even see as 'user-convenient' because it puts the onus on the user to remember to lock out any device that they've lost control of (and they may not even know they've lost control of the device!!).

The illusion of security in products that the mainstream uses is often touted as secure and covered with all kind of marketing like 'FIPS 140-2 Compliant'!! However, the reality is that true security will always get back to the security of the key. If you want to evaluate the true security of a device or a security implementation, there's a simple checklist the consumer can ask himself when buying the device:

1. Identify the 'key' that gives you access to your stuff.
This could be a password, a 'smart card' or a SecurID token.

2. Can I store my key to allow me to access without asking me every time?
The answer needs to be NO. If your devices store your key without you having to enter it (or provide something external like a secure token), the key isn't really the key, or it's replicated in the implementation. You don't want copies of your key being stored.

3. If I lose my key, is there a mechanism for me to recover my key that does not require another, perhaps more secure, key?
The answer needs to be NO. The key needs to actually be a part of what is needed to unlock the lock. If you can lose your key but still access the data later without it, it wasn't really the key - it was a token to get your key. Key Recovery is a whole practice in and of itself. Sure, we can encrypt and store your key info - but now we need to make sure that's locked up just as tight, if not tighter than the original data.

4. Can key recovery be done without my participation (providing the more secure key)?
The answer needs to be NO!! Again, if your data can be unlocked without you providing the key or an alternate key - it's not really the key at all! It's just a laundry ticket to pick up your key.

Those four questions are a good start - and there's even more to think about for advanced users (e.g. Can the key be used on the data without the system itself?)

Don't fall for the illusion - ask yourself these questions to get a feel for how secure your 'encrypted' data is. Then ask yourself which you want, convenience or lock-it-up-and-swallow-the-key security. If history is any indication - you'll choose convenience. I may still be a DropBox user, but my truly private data is encrypted before I store it there. Let's hope I don't get Alzheimer's and lose THAT key.

April 01, 2011

There are certain foods....

There are certain foods in the American culinary lexicon that seem to defy the idea that foods are created by artistic minds, unless one considers the seedier side of the artistic world as a valid source of creation vision. As I purchase breakfast this morning, which includes a 'yogurt muffin' that I normally obtain, I stopped to think about just what yogurt is - a sort of curdled milk product (yes, I KNOW there's more to it than that). But even if that were not a strong enough case to be made that some foodies must in fact be engineers instead of artists, I am given to think of Blue Cheese dressing, foie gras and even haggis. This last one I'm sure we could argue is NOT in the American culinary lexicon at all, but is in fact only closely related by the unity of Britain and Scotland and their lingual and historical relationship to Americans. No one wants to get too close to the haggis, after all. Just a passing thought.