software

News, privacy, security September 22, 2014

The PRICE of FREE

The idea of offering your product or a version of it for free has been a source of much debate. What is FREE and is FREE really, really, free as in gratis? Idea on writing this article came from reading this article on “Minimum Viable Free Product (MVFP)” by Nathan Taylor. Nathan is talking about “Minimum Viable Free Product” and I personally don’t like how “Free” is interpreted. Yes, I did read the book of Chris Anderson about the free products. But the Internet decided to do things quite differently. Let’s define the terms before we go into the discussion. Terminology FREE = means that a product has a zero acquisition price: it doesn’t cost anything to install/use. Nothing is said about what happens after you install it.Note also that this doesn’t say anything about what is being sold: MVFP or freeware or ad sponsored or… you name it, It is just “something” that doesn’t cost anything, and it doesn’t say if it is the “full” product or an “entry level” product. Free trial = this is the full product offered for FREE for a limited period of time. After that, the product either stops functioning or reduces the functionality to an “entry…

security July 19, 2014

Why should you sign your binaries

One of the larger questions facing the software industry is: How can I trust code that is published on the Internet? Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.[Wikipedia] This means that code signing can provide several valuable features: – provide identity of the software when deploying – as can be seen in the picture below, it is reassuring to know that the binary comes from the producer of the software. – provide proof of the authenticity that the code has not been altered in any way – in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object. There are multiple ways to sign code. Microsoft has put together all available methods in this…

General March 26, 2014

What are functional and non functional requirements and why both matter

In software engineering (and Systems Engineering), a functional requirement defines a function of a system or its component. A function is described as a set of inputs, the behavior, and outputs (see also software). Functional requirements may be calculations, technical details, data manipulation and processing and other specific functionality that define what a system is supposed to accomplish. Behavioral requirements describing all the cases where the system uses the functional requirements are captured in use cases. A non-functional requirement is a requirement that specifies criteria that can be used to judge the operation of a system, rather than specific behaviors. This should be contrasted with functional requirements that define specific behavior or functions. The plan for implementing functional requirements is detailed in the system design. The plan for implementing non-functional requirements is detailed in the system architecture. So, with simpler words, the non-functional requirements, in addition to the obvious features and functions that you will provide in your system, are other requirements that don’t actually DO anything, but are important characteristics nevertheless. For example, attributes such as performance, security, usability, compatibility. aren’t a “feature” of the system, but are a required characteristic. Most of the time you can’t write a specific line of code to implement them, rather they are “emergent” properties that arise from the entire solution. The specification needs to describe any such attributes…

blog February 17, 2013

How would you describe yourself?

Your LinkedIn profile can tell someone a lot about you. But, what are your strongest skills? How could you describe yourself in a few words? Here is how: create a cloud of words from your profile enhancing the words that appear most. Here are more of these created using Wordle.net/create: Please note that for this website you need Java. Read here how to deal with it. If there was any doubt, I am very much into Software Security. Check out my professional profile and connect with me on LinkedIn. http://lnkd.in/AQabAq

techblog December 6, 2012

The post might not bring exactly what you expect for Christmas

With the holidays and presents season approaching, most of us are thinking what presents to order for Christmas. Many people prefer to order them online than to spend hours chasing presents in a mall. I know I am one of those… This fact is also known by cyber criminals who are doing anything to get more money or to extend their botnets. If we see usually only some targeted fake shops or phishing campaigns, this time the stake was raised to a higher level. A spam campaign which pretends to represent the delivery service FedEx is delivering an archive attached to the emails. The ZIP file contains an executable file called Postal-Receipt.exe which, at the time of analyzing, was detected only by three antivirus software from the 48 registered at the online scanning service VirusTotal. Avira briefly analyzed the file and added the detection TR/Inject.exab for that file. The executable in the archive is a clever malware which tries to fool the user by starting a notepad, pretending to display the receipt. In background, it injects code in svchost.exe and tries to contact its command and control server in order to transfer some malicious payload on user’s computer. And this is how…

techblog November 30, 2012

Security 101: December 2012

How safe is internet banking when I am using a smartphone to do it? I noticed several banks provided apps to do mobile internet banking and share trading but does it really work? Smartphones have much limited security functionality than desktops. However, they do share one weakness: they are both equally exposed to external attacks if they transmit non-encrypted data over non-encrypted Internet connections. So, it is not possible to give a general statement about how safe or unsafe the usage of an app really is. It depends mostly on the app itself. In general, an app that transfers highly confidential data must only work with encrypted data. It is also highly recommended that the connection to the network also be encrypted because even if the data is encrypted, the application could be theoretically vulnerable to a sophisticated man-in-the-middle attack. The best method is to check with the app developer if the data is transferred in a secure manner. Why do some antivirus manufacturers change their software’s interface all the time when users are already familiar with it? Many antivirus manufacturers change their user interface (UI) based on the feedback they received from the marketplace and incorporate innovative and feasible changes that their customers have requested for. Some others change it regularly because this theoretically improves the acceptance…

security May 29, 2011

Skype distributing software(games) without user’s explicit approval ?

Since yesterday evening, the users of Skype for Windows who installed the EXTRAS features, have started to receive software automatically. The software comes from EasyBits Media, a company from Oslo, Norway. The Skype users have started to complain yesterday afternoon and the drama seems to continue, without Skype officials to comment on this. The entire thread is here: http://forum.skype.com/index.php?showtopic=821491&st=0 A user writes in the Forum: I clicked “deny” when skype asked for permission to install this on my computer, but it still went ahead and installed anyway. Can somebody from Skype confirm ASAP if this is a virus which has gotten into the Skype network or if this is something they have pushed out with a very dubious installer. Not impressed. One and a half hours later, the user called EasyBitsMedia has posted a copy/paste from their website mentioned above: EasyBits Media is dedicated to providing a world class Game channel to the expanding global Skype community. In 2006, in collaboration with Skype, EasyBits Media created the Skype Extras framework – one of the world’s first ever Apps store. Skype Extras are Apps that allow users to extend Skype functionality. For example, our Skype Extra is called “Play Games”…

antivirus, News May 5, 2011

Microsoft Defender and dangerous alert levels

Description: This program changes various computer settings. Advice: This software is typically benign when it runs on your computer, unless it was installed without your knowledge. If you’re not sure whether to permit it, review the alert details or check if you recognize and trust the publisher of the software. Category: Tool Clicking on the link in the dialog gets you here where it is explained that it is actually a Research Tool. Research Tool:Win32/EICAR_Test_File Tool:Win32/EICAR_Test_File (?) Encyclopedia entry Published: Mar 08, 2007 Aliases Not available Alert Level (?) Severe Antimalware protection details Microsoft recommends that you download the latest definitions to get protected. Detection initially created: Definition: 1.45.287.0 Released: Oct 07, 2008 Summary This potentially unwanted software is detected by the Microsoft antispyware engine. Technical details are not currently available.

News, quoted, security March 9, 2011

5 Apple security myths

Five Apple Security Myths — and the Disturbing Truths Five hard lessons With that in mind, here are five Apple security myths — and the brutal truth behind each: Myth: I don’t need antivirus and spam protection because I work on a Mac. Truth: The Mac OS X operating system is targeted less frequently by malware only because it’s not as widespread as Windows. It’s no more secure than any other operating system, said Sorin Mustaca, data security expert at Germany-based Avira. As for phishing attacks, said Mustaca, “the biggest problem in this case is not the computer itself, but rather it’s the user.” Myth: I can’t be infected by any malicious software because I get my applications exclusively from the iTunes App Store. Truth: “We’ve seen a couple of times already that the App Store is not such a secure fortress as one might have hoped,” said Mustaca. “It is extremely difficult to check every single application that is inserted there.” Myth: Mac OS X is inherently more secure than Windows. Truth: Apple’s brand-new products are being hacked almost immediately upon arrival. For example, “jailbreaking” your iPhone is as easy as browsing to a specific website. “For a while,…

agile, General March 6, 2011

The Twelve Principles of Agile Software

The Twelve Principles of Agile Software of the Agile Alliance: Our highest priority is to satisfy the customer through early and continuous delivery of valuable software. Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage. Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale. Business people and developers must work together daily throughout the project. Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done. The most efficient and effective method of conveying information to and within a development team is face-to-face conversation. Working software is the primary measure of progress. Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely. Continuous attention to technical excellence and good design enhances agility. Simplicity–the art of maximizing the amount of work not done–is essential. The best architectures, requirements, and designs emerge from self-organizing teams. At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.