Tuesday, February 17, 2004

Tracking Source Code

I am the master of the IMG tag!  Bwaaahhaaaahhaaaahaaa!   Had this idea after hearing about the FBI trying to track down the Microsoft partner who apparently leaked source code. Basically, the idea would be to "watermark" the source code before it was released to an external partner. Watermark how?

Here's what I'm thinking. Imagine a signature that identifies DougCo as the partner company. The cleartext signature would be something short, say, "DougCo...". Using a time-based key and some strong block encryption (BlowFish/TwoFish), create an encrypted, base 64 version of the signature and insert it within source-code comments. Here's the good part: it would be randomly inserted in comments throughout the source code... be completely random (time-based key)... and brutally difficult to find. For example, imagine the following code block:


void AFXAPI AfxInternetStatusCallback(HINTERNET hInternet, DWORD dwContext,
DWORD dwInternetStatus, LPVOID lpvStatusInformation,
DWORD dwStatusInformationLength) {
CInternetSession* pSession;
#ifdef _DEBUG
if (afxTraceFlags & traceInternet)
AfxInternetStatusCallbackDebug(hInternet, dwContext,
dwInternetStatus, lpvStatusInformation, dwStatusInformationLength);
if (_afxSessionMap.Lookup(hInternet, pSession))
pSession->OnStatusCallback(dwContext, dwInternetStatus,
lpvStatusInformation, dwStatusInformationLength);
// note that an entry we can't match is simply ignored as
// WININET can send notifications for handles that we can't
// see -- such as when using InternetOpenURL()
// 2f4g78BV847dl56rCMno3aSQ2384Sls2g=

Note the embedded signatures in blue. They'd be inserted in existing comments whenever possible and perhaps some new comment blocks, if necessary. They'd obviously not affect any compilations, but would certainly allow trackback of released source.

Comments from "T" on Watermarking

"Doug, I liked your idea about code watermarking, but I question the ease with which it could be removed. A 4 line comment-strip utility would destroy your watermark in about 0.005 seconds. What about "hiding"
non-printable characters within the code, but still using your basic signature idea? Also, how difficult would it be to re-distribute the source to a new partner using your proposed scheme-- all comments and function headers would have to be modified? What about using a CODE-based watermark-- like every Nth parens are doubled on some schedule determined
by a crypto algo-- it would also not affect compilation, but would also yield a verifiable signature that would be difficult to remove?

Non-printables? Bad idea. A utility would strip those off in 0.000005 seconds.

But the code-based watermark? Good idea. I had a similar thought but different approach. If pirates were willing to dispense with all comments, I would actually modify variable and method names. The problem with parens (or semicolons, etc.) over the course of a module is that it's relatively easy to throw off the crypto. A pirate could defeat the crypto by inserting or removing the redundant constructs in each module. However - if random variable names were suffixed with (or even changed altogether to use) signatures, then... they would likely be very, very difficult to strip out.

Perhaps a combination of all of these approaches could be used.

Pitfalls of Outsourcing

From JOS, an erudite post from 'Burninator': "
> you can keep analysis and design in the US,
> and outsource the coding work.

Spoken like someone with no real-world software development experience.

If you actually understood what software development actually entails, then you wouldn't be repeating this mantra that seems to be the hobby horse of MBAs right now.

What all these these people want to believe is that one can create a perfect set of requirments -- with maybe some incredibly insightful architectural guidance thrown in ("use EJBs, dude") and ship it all over to a code farm, where a 6 year old child labourer will churn it out for 12 cents a day. Just like the way they send a blueprint for a TV to a third world country, where it will be manufactured at rock bottom prices thanks to cheap labour, lack of environmental regulations and no occupational and health laws.

Well, I've got news for you: Software development doesn't work like that.

For one, design occurs during the development process. The waterfall SDLC didn't work back in the 70s. It still doesn't work today. The fact of the matter is, there are only exceptionally rare cases where one can absolutely and completely know the requirements for a software product prior to development. In the vast majority of cases, the requirements are full of unstated requirements and they change on a regular basis throughout the project.

Much of the work in software development is in fact accomodating those changing requirements and dealing with unspoken/implied requirements.

Here's some more news: only a very small percentage of the work of a programmer actually involves programming. More of it is spent on design, testing, and sitting in meetings about customer requirements.

In short - in most cases, you cannot simply "outsource the grunt work". Anyone who believes otherwise simply has no idea whatesoever what they are talking about. It's as simple as that.

Pitfalls of Outsourcing

Netcraft on Visual Spoofing

Login... in... inNetcraft reports that there's a new Phishing approach out there... Visual Spoofing.

"A new technique called "visual spoofing" provides a way for Internet phishing scams to convincingly mimick the web sites of banks and credit card companies. The technique alters the user interface of the web browser, substituting images for parts of the browser interface that would normally help users detect the fraud.

Visual spoofing, as outlined by Don Park, uses javascript links to launch a new browser window without scrollbars, menubars, toolbars and the status bar. This coding trick is commonly used to launch pop-up ads. In visual spoofing, these GUI elements are replaced by images, allowing the site creator to substitute a fake status bar containing the URL for a legitimate site, along with an image of a "lock" indicating a secure SSL site. Park has posted a demo of the technique, which works in multiple browsers. End users have the ability to configure their browser to prevent this behavior.

Phishing attacks seek to trick account holders into divulging sensitive account information through the use of e-mails which appear to come from trusted financial institutions and retailers. Such scams have multiplied in recent months, with many taking advantage of a bug in Internet Explorer that made it easier for fraudsters to simulate the URLs of target financial institution.

Netcraft: Visual Spoofing Offers new Opportunities for Phishers

F**k everything, we're doing five blades

Sheer genius from the Onion. "Would someone tell me how this happened? We were the f**king vanguard of shaving in this country. The Gillette Mach3 was the razor to own. Then the other guy came out with a three-blade razor. Were we scared? Hell, no. Because we hit back with a little thing called the Mach3Turbo. That's three blades and an aloe strip. For moisture. But you know what happened next? Shut up, I'm telling you what happened—the bastards went to four blades. Now we're standing around with our c**ks in our hands, selling three blades and a strip. Moisture or no, suddenly we're the chumps. Well, f**k it. We're going to five blades..."

F**k everything, we're doing five blades


Rory's blog had a funny comic. What if Ozzy Osbourne was a software developer and... went on a job interview?

If they were coders #2 - Ozzy

No comments: