31 March 2010

Black hat SEO

Hackers automatically create pages with popular keywords (breaking news...) based on resources like Google Trends. They create networks of crosslinked bogus pages hosted on compromised, legitimate websites. When a crawler comes along the page is fed to the search engine.
When a user is redirected to the URL by a search engine, the site detects that this is a normal browser access and redirects the user to malware sites.
A paper by Sophos explains the technique.

25 March 2010

google maps: public transport

GUI architecture patterns

Model View Controller is the common architecture for graphical user interfaces.
There are however many variations on it, partly depending on the underlying technology.
As a result MVC is often misunderstood, and the same names are used for different beasts.
Here's a clear overview of MVC and its brethern.

18 March 2010

Revision control tools survey

A recent small versioning tools survey on the Toughtworks development mailing list by Martin Fowler:

Subversion has replaced CVS as the tool of choice.
Appreciation of reputed commercial tools like Rational Clearcase and Microsoft Team Foundation Server (version control) is shockingly low.
Thoughtworks is both involved in Open Source projects (jMock, CruiseControl ...) as a MicroSoft Gold Certified Partner, so these opinions should be fairly neutral. 
Distributed tools Git (by Mr Linux, Linus Thorvalds) and Mercurial get the highest approval rates. These tools copy the whole repository to the local system, not just the revision you're working on. Advantages are:
  • you can work with revisions while being diconnected
    • faster access
  • commit and publish are separate events.
    • developers can more easily make an intermediate commit before starting to write speculative code, without having to worry about the commit breaking the published code.
    • extra actions can be added between commit and publish
      • publish permission can be restricted
On the other hand subversion has an intuitive command line interface and the better windows GUI. You'd expect it to be more economic on disk space on the client as it does not store all revisions, but this is not the case, due to the efficient diff/storage algorithms of tools like git.

3 March 2010

Belgian EID risks

Interesting papers on Belgian EID by Pieter Verhaegen: 

Belgian e-ID description
The Belgian e-ID card is a smart card that allows Belgian citizens to prove their identity and to sign electronic documents. Private information such as the owner's name, his address, a digital picture of the owner and his National Registry Number (Social Security Number) is stored on the card and signed by the government. Two PIN-protected key pairs allow digital authentication and signing.
Pilot projects for foreigner and kids e-ID cards are being executed.
To use the card in (web) applications the user needs a card reader and a middleware application (by the fedict government service). Applications typically interact with the card via an API  offered by this middleware, which is documented in the developer guide.
The card's public keys are embedded in a certificate containing the RRN and the name of the card holder, signed by the government. The private keys can only be activated (not read) with a PIN code.

Some of Pieter's remarks
  • The unique identity key is the National Registry Number (RRN).  The Belgian Privacy commission states that this key may only be stored by applications after official approval by them (National register act of 8/8/1983, ammended 25/3/2003, art 5), as mentioned in the FAQ. The FAQ sugggests to use a hash instead of the RRN.
  • As the RRN is not protected by the PIN, developers tend to think that just reading it is sufficient for authentication, rather that using client side SSL authentication.
  • Once the authentication PIN is entered, the authentication certificate can be used multiple times without notifying the user. A malicious application might authenticate to other sites on the user's behalf
The FEDICT middleware application is not mandatory. It can be replaced by another application. This is at once a risk (malicious middleware application) and a  feature (openness, extensibility). The eid-applet, for instance, can be used with or without the middleware and comes with an excellent developer guide.

Some tips on using e-ID in an application.