A multifunctional device that works.

We recently tried an inflatable boat/ attached mast framework for sailing. This sounds like a bit of a “Rube Goldberg” device. It isn’t and it handled nicely in winds ranging from a weak gust (we could have blown harder) to 10-15 mph winds. The framework attaches to a wide variety of hulls, including canoes. This is a neat example of good engineering. The system straps to various attachment points on the hull and rides as a semi-rigid platform on top of the flexible hull. It breaks down into a set of parts with a maximum weight of about 40 lbs – which means we can carry it to anywhere. (it might be a bit hard to backpack it to a really remote lake). My 14 year old could sail this, although a bit more strength is required in the highest winds.

One of the neat differences between this and conventional small boat like a sunfish is the steering oar. In addition to helping us paddle out of a long narrow cove with uncertain winds, it gives you a feel for the forces on the boat. A sailboat should be trimmed so that it points into the wind when you release the rudder. This is how it tacks or turns upwind. When beating upwind – the forces on the boat are the wind which is pushing you back and sideways and the water on the keel or leeboards which is deflecting the wind force into a sideways and forward motion. (we’ll ignore current). The rudder servers to help point the bow in an upwind and sideways direction. When I’ve sailed a sunfish clone the rudder points more or less straight back and you don’t pay too much attention to the exact angle. With the steering oar I actually have to counteract the force of the wind trying to turn the boat into it and end up steering as if I was turning towards a broadside run. This is counter-intuitive, but perfectly logical when you plot the force vectors.

Enough with the physics – its a blast!.

Now for a shameless plug of the vendor – we ordered from sailboats to go who were a pleasure to deal with.

Written by Rob in: engineering,outdoors |

Knowing when to bail

Last weekend I coordinated what was to be a practice trip for the Philmont crew.  We’d planned a short overnight trip on one of my favorite trails, the Pinhoti trail, near Dalton.  Its a site full of history (Sherman’s army marched through it and around Johnston’s army which was camped at Dalton).  The trail itself is relatively unused, unlike the AT, so that you can have a real wilderness experience.  (No bears, yet).

However the weather was not cooperative, and we changed from an overnight to a day hike.   All the work in preparation became ‘sunk costs’.  An ominous rumbling grew closer as we were walking along a knife ridge, and when the  storm was close enough we returned to the cars.  Were we further along we’d have had to go downhill and spread out to avoid a strike.

The heavy rain tested our (mostly not) waterproof gear (mine was fine), so we’ll be well prepared for next time – where we won’t have cars to return to.   As a preparation trip it was great.

It was good we ‘bailed’ because short there after a tornado went through to the south, and another one to the west.  We’d have been fine but it was a little too close for comfort.

Written by Rob in: backpacking |

Link spam and sausage?

A new form of spam has infiltrated the inbox for this site, and it is sort of interesting.

The idea is to send a bunch of sentence fragments of with 20-60 links, aggregated from various sources (payday loans, male enhancements and the like) into  a single comment.  This is an attempt to take advantage of Googe’s link ranking algorithm – it would be as if I tried to boost my rank by creating many web sites with links to my pages.

A similar approach is to put a template sentence with a few keywords from the post and say how useful it is.

This will fool a Baysean network because it will look a lot like English -  in that it agrees with prior probabilities taken over a sufficiently narrow range of sentences, but it doesn’t quite make sense when a human reads it.

Actually it reads exactly like students work when the “write by Google”, – i.e. cut and paste from websites.

I’m wondering if a better natural language processing tool would be a good idea as a spam filter.  It might even make my life easier.

Written by Rob in: pedagogy,security |

Race Conditions and Fraud

One of the classic problems in multiple process programming is a “race condition” where one process invalidates or modifies data that another process is using.  It often shows up when one process is slower than another due to system load or difference in hardware.  This can lead to all sorts of interesting effects, none of which are good.   In security this is especially bad, because it opens holes in otherwise well-designed systems.

Ever wonder how those $2000-3000 a week – all you need is email scams work?  These are an example of advance fee frauds, which take advantage of a race condition between electronic funds transfer and the final transfer of assets.   Basically, the victim is asked to deposit a check and return part of the deposit to the sender.  This can either be overpayment (I guess checks are expensive in some parts of the world so they just can’t be torn up and re-written with the correct value) or the rest of the check minus the service fee that is part of the victim’s ‘salary’.  The check eventually “bounces” and the victim has to repay the bank for the funds while the scammer spends the money.

Checks are ‘self-insured’ in the sense that you are vouching for the veracity of the check issuer to your bank.  So if you have enough funds to cover the check, the bank is willing to accept your statement that the check issuer is valid and lend you the money.  When the check bounces -  you have to repay the loan as the insuring agent.  (part of the reason credit cards in the USA have a transaction fee is to  pay for the insurance to cover the small fraction of transactions that are fraudulent or disputed – in the UK it’s self-insured and they use a stronger authentication protocol).

It is this combination of abuse of trust and different rates of processing that allows the scam to work.

A similar race condition exists in Phishing emails.  It is relatively easy and fast to block or disable accounts from which the emails appear to arrive.  In fact it’s faster to disable the email than it is to set up a good Phishing database – so it would seem that this wold be an easy condition to catch and correct.  Just block the sites as fast as they appear and eventually they will go away.


The more sophisticated Phishers use html email with a refresh meta-tag.   The email arrives from a compromised site (as opposed to email spoofing which is easier to detect), but when you read it with an html-aware email reader (thunderbird is just as bad as outlook for this) it moves you to the redirect site.  The redirect site may actually redirect you again (and again (and again…)).  Thus the real site is protected from trivial blocking on a black-list.  So now difference in rates is in the phisher’s favor.

Written by Rob in: security |

Spam, spam, spam, wonderful spam

One of the courses I teach is on computer security. It’s fairly well recieved by the students and starts with an overview of cryptography before meandering off into the neatherworld of fraud, spam, and various aspects of the criminal mind.   So I collect phishing email, viruses and various worms for analysis (it’s neat to see how automated windows attacks fail on a linux box ;-) ).

I have a few lessons for the various human spambots (could we call them members of the borg collective?) that wander through the blogosphere.

  1. Totally automated insertion of web links into a moderated message queue is simply a waste of time. WordPress has this wonderful ‘mark all as spam’ feature and it works.
  2. Cleverer attempts are sort of amusing, but it really does defeat your validity if the email address is or your website is (real site).
  3. Attempting to launch a virus in your posting will fail if the editor isn’t using a susecptable system. (MacOSX or one of many linuxes)
  4. For UNIX people who want to study these things – wget is fantastic for getting the components of the sleazy systems. (there are better tools for getting the whole website if you need it.)

The approaches I’ve seen, mostly in email but a few here, have ranged from the blindingly obvious (my favorite was the time one early phishing attempt was sent to an ACM mailing list – the one place where every reader was overqualified to detect it – my second favorite is from “microsoft”, but composed and mailed using linux tools) to quite complicated chains of interacting scripts that are derived from real websites. I’ve found examples where the payload information was eventually saved in an error message on a compromised webserver that had nothing to do with the content that was presented. Definitly clever.

Recently I’ve had a spate of emails about e-cards or mesages. They’ve inevitably been an executable (part of a worm for building the world’s largest supercomputer). A guess it’s a change from the emails from “john somename” that then say they are a lonely girl. It isn’t that hard to have a list of girl’s names, you know.

Lately I’ve been getting spam in German. It’s improving my vocabulary with words they never taught us in high school.

Don’t think this is sour grapes, the flowing stream of spam and anecdotes from it make teaching my class fun. So I have to say thank you.

Written by Rob in: pedagogy,security |

Powered by WordPress | Aeros Theme | WordPress Themes