Martin Geisler Online

I’ve finally booked flights for me and Stéphanie for the summer! We’re going to the U2 Vertigo concert in Copenhagen on the 31th of July, and after that I’ll be going to Århus and Aalborg to visit friends and family while Stéphanie goes back.

We’ll arrive in Copenhagen on July the 31th with a flight from SWISS and Stéphanie will go back already on August the 2nd. I’ll then take a bus to Århus and Aalborg and first go back two weeks later on the 16th of July.

In those two weeks I hope to visit lots of people in both Århus and Aalborg!

That was the dates — now let me tell you about the booking experience… First of all: it’s a jungle trying to find the cheapest flight from A to B. There’s the cheap airlines like EasyJet and Ryanair, and I’ve flown with them before without any problems. But neither of them fly directly from Switzerland to Copenhagen which means that you’ll have to go by either London Stansted or Berlin and this complicates the whole thing, and is also likely to make the total cost higher than a direct flight.

About the total cost, then that’s a bit silly too: half of what you pay is called fuel, fees and taxes. And you’ll only see those at the end of your booking. I understand that the airline companies have to pay something to the airports to be allowed to land there, but could they not just include that in the price? That would make things more transparent when you’re comparing prices — ups, perhaps that’s why they haven’t done it! :-)

Finally a technical thing: the SWISS online booking system cannot handle two concurrent bookings made in the same browser. When trying to do so, you get this nice little warning:

Sorry: our system is unable to continue this transaction. Entering multiple inquiries or using the “Back” function of your browser can cause the system to freeze. Please close your internet window completely and start again.

I would suspect that they store the session data in a cookie, and thus the two tabs or browser windows will use the same cookie. That’s a shame, for making two concurrent bookings is exactly what I had to do in my case where Stéphanie and I will be flying back on different dates. And it’s not that it’s technically impossible to support multiple concurrent sessions in the same browser: it just requires that the session ID is embedded in the page and not in a cookie — EasyJet does it like this. A small detail in the implementation with a big impact on the functionality of the system as a whole.

Using Linux it was easy to overcome this limitation anyway: I simply logged in as another user, exported $DISPLAY to :0.0 and started another Firefox. Before doing this you’ll have to give the other user access to your X server, do this by copying your ~/.Xauthority file to the home directory of the other user. An alternative is to make a symbolic link to it and then ensure that the other user is able to read it (with root this works very nicely).

Another, more heavy-weight, solution would be to spawn a new display using something like GDM Flexiserver, but just copying or linking the ~/.Xauthority file is much easier, IMHO.

I was browsing through my old reports from way back in primary and high-school. That brought back some memories… I found lots of short stories from my Danish and English classes — it’s very cute to see a two-page summary of some English text which I now don’t even remember reading :-)

There were also bigger reports among my old stuff: a report from a class excursion to Nordjyllandsværket, our local power plant in Aalborg. Our class also made an excursion to Dansk Eternit where we made tests with breaking their fibre-cement roof elements. I might put those online someday if I can get them converted.

The reports and texts from my primary school days were all written in Microsoft Word — I had not yet seen [the light][LaTeX] back then… :-) During high-school I started using [LaTeX][], and now I’m glad I did: the DVI files still exactly like they did those five years ago!

With the Word files things are a bit more difficult: OpenOffice is able to open them all without problem and the text is there with the correct formatting. The embedded images are also there and OLE stuff like Equation Editor objects and vector drawings from the venerable CorelDRAW are generally there too, although some of them looked a little weird.

There’s also the problem that I no longer have programs like CorelDRAW, so I’m no longer able to edit those images — I have basically reached a dead-end in the upgrade path when I switched to Linux. With programs like MetaPost I don’t have to be afraid of that — it’s free so I’ll have access to MetaPost today, tomorrow and in ten years.

If you’re a normal Windows user, then you might be thinking something along the lines of “What about incompatibilities between new and old versions?” Fear not! Stability is a major concern for people in the LaTeX world (and MetaPost is primarily used with LaTeX). I believe this is so because LaTeX is a tool used for serious stuff where one would actually loose huge amounts of money if something “suddenly” changes. A twenty page document written in Word doesn’t count at serious stuff — a 1000 page book in LaTeX does.

There you want to be absolutely certain that everything looks the same as the first edition when you begin preparing a second edition. So TeX itself is now frozen and all changes to LaTeX are made with much care so as to not disturb existing documents.

Despite the grieves over MS Word it was an enjoyable tour through the good old days!

I’ve had a post lying around here in [WordPress][] as a draft for some time now. I started writing it when I was in Wallis with Stéphanie — there her mom showed me an article about skimming. This was very interesting, for I had just heard about that in my System Security lecture…

I started writing something up on the subject, but I never got it finished — before now, so please go read about skimming. I should warn you that you might be scared by what you read :-)

Exploiting Software, How to Break Code. ISBN: 0201786958
by Greg Hoglund and Gary McGraw.

I’ve now read through this book, and my impression of it is mixed. The book coverered lots of new stuff for me, but I’m not entirely satisfied with the way it did that.

The book (obviously) tries to cover software exploits, and it tries to do it in great detail, using lots of code listings showing both C and assembly code. The idea of explaining how real world exploits work by referring to C and assembly code it good — I’ve seen too many books which just talks about buffer overflows in theory.

But I doubt the usefulness of many of the code listings. Several of them run over multiple pages, listing entire programs which would have had a better place on a CDROM or just online. There’s no need to include so many pages of code in a book, especially when the code is listed completely bare: typeset in Courier with no bold, italic or any other syntax highlight.

Also, a good deal of the code describes plugins and other things for the IDA Pro Disassembler, which is used throughout the book in the examples. Again, the attempt to go into detail is good, but the book shouldn’t be so focused on this one tool, IMHO.

Another way in which this book is narrow-minded is the small selection of other works referenced. The bibliography in the book is very thin: three pages with just 31 cited works. Through-out the book one finds references to “Securing Java” and “Building Secure Software” — two books by the same authors. The first couple of times one sees a reference to these books it’s okay, but in the end I was wondering if I should have bought one of those books instead, since this books keeps referring to them…

Maybe those books wouldn’t waste so much paper on screenshots? This books has lots of screenshots showing “interesting” snapshots from an attack. Such a snapshot could be a standard Windows command shell, or an xterm showing the output of uname -a and id… And it’s not only the many screenshots that take up space: at one point there’s a dependency list of 161 function names from seven DLLs with one name per line, running over more than four pages. The text then concludes that this list is interesting because it shows what scrrun.dll might be able to do on behalf of a script! One doesn’t have to fill four pages with names to say that scrrun.dll (or whatever DLLs you’re analyzing) is a valuable target.

So all in all I suggest that people take a good look at this book before buying it. I would say that it requires a solid understanding of assembly code to be really useful, and experience with the IDA Pro tool is also a good idea. I have neither, and perhaps that was why I didn’t find this book that good? Please comment if you have read it!

The search functionality offered by [WordPress][] is — how to put it? — simple. You type some words and it makes a LIKE query against the titles and contents of your posts. So that’s kind of slow, doing a full scan through the posts table for each search without using any indexes at all.

What is worse is that it looks like the results are ordered by date and not relevance. So I’ve now made a little box which uses Google to search the site, which will hopefully give better results. As always, let me know what you think of this.