Life In A Northern Town (43°4′N, 141°21′E)

T-Rex Sort Of Validates Me, In Panel 3

noreply@blogger.com (Buruzaemon) — Fri, 19 Nov 2010 21:32:00 +0000

This is in reference to an earlier post.

On Drive & Motivation

noreply@blogger.com (Buruzaemon) — Sat, 19 Jun 2010 13:07:00 +0000

Came across this terrific animation bit on drive, incentives, and motivation. It is hilariously spot-on. If you find yourself on the hiring side of the interview table, you should view this animated presentation first.

Grover Does Dama Dam Mast Qalandar

noreply@blogger.com (Buruzaemon) — Fri, 18 Jun 2010 21:48:00 +0000

I don't quite know what to say, except... Grover still rocks my world.

A Funny Thing Happened on my Train to Work This Morning

noreply@blogger.com (Buruzaemon) — Wed, 07 Apr 2010 13:51:00 +0000

I've been in Japan so long, maybe I'm going native.

I just hopped on the subway this morning, finding a well-positioned seat on the right-hand side of car number 8, and was enjoying a nice article on how to read a balance sheet in my favorite business magazine. I had Audioslave's Cochise on my iPhone, and I was looking forward to finishing the article before getting off at Otemachi. I normally get on at the station where the subway begins, so the seats fill up fast.

The subway lurches forward, and soon I am deep into my magazine. After a stop or two, I look up and notice a woman standing in front of me. All the seats by now are taking, standing-room only. And then I notice that she could be... well, she might be pregnant.

Now, Boy Scout that I am, I was just about ready to jump up and offer my seat. But I hesitated. Yeah, she sort of had that wonderful, baby's-four-months-along-now bulge in her tummy. But was that bulge real, or was I just imagining it for her bulky and loose outfit?

I bit my lip and tried to determine the situation. But it is rude to look to hard at a person in Japan, so I tried to be nonchalant about it. Urgh, couldn't tell. I glanced nervously sideways. The guy sitting next to me was fast asleep. The people sitting on the other side of the car were just staring vacantly forward out the windows. Didn't they notice this pregnant woman standing? Why couldn't any one of them stand and offer their seat, and save me the trouble of making a hard decision?

I continued to discreetly assess this woman. Yeah, she sort of had a large, pear-shaped frame. Could be pregnant. Or was it just the cut of her clothes? Another station comes and goes, and I am still deep in debate. Back Stateside, I would offer my seat without hesitation, and so what if I was wrong and she wasn't pregnant? We'd both laugh it off, and maybe I would get to sit back down and and continue reading.

But this is Japan. Appearances and saving face counts, and I sure would not want to cause this woman any embarrassment for mistaking her to be pregnant when she might only have been just packing a bit of a beer belly. Oh, the predicament! A bead of imaginary sweat rolled down my forehead.

So two more stations pass, no one around me is budging, this woman in still standing solidly right in front of me, and I am still pretending to be engrossed in my magazine. Ah! What a great column on the classic Monty Hall problem on conditional probability! But the situation does not change a bit... another station comes and goes... and I am still struggling at the impasse. Do I stand or continue to politely pretend oblivious ignorance?

Finally, the man sitting next to me gets up and disembarks at the next station. I breathe a sigh of relief, thinking that I don't have to make a hideous gaffe (embarrassing for both of us?) now that a seat has opened up. Joy!

...

But the woman doesn't sit. Nope. Doesn't even make a move towards the empty seat, just huddles up against the door next to me. A whole lot of other people get on the train, and someone else sits down next to me. But Ms. Beer Belly gets off a station later, when I finally see that she is not in the family way, just merely pleasingly pear-shaped.

I am such a wiener.

Another Comic

noreply@blogger.com (Buruzaemon) — Thu, 06 Aug 2009 16:06:00 +0000

XHTML2 Is Dead, Long Live HTML 5!

noreply@blogger.com (Buruzaemon) — Wed, 05 Aug 2009 04:15:00 +0000

Swearing to Cope with Pain

noreply@blogger.com (Buruzaemon) — Wed, 15 Jul 2009 02:18:00 +0000

Man, it has been a while since I last posted. I wanted to write about all sorts of things. Like successfully installing R for OpenSolaris using packages. Maybe about the uncertain future for OpenSolaris, now that Oracle pwns that. Maybe about coffee (see my byline, I actually haven't written one word about my addiction to the bean). Maybe about a candidate for a side project I've been mulling over, involving human speech parsing. But I've been busy, both professionally and in private life.

However, I found a wonderful article on Scientific American that is just so timely, that I feel compelled to post. Right here, right now.

Been quite busy at work, having been drafted to fight fires on a project that I now understand to be, simply put, a real death march project.

If you're in IT, then you know what I mean...

Crazed release schedules, dictated to us according to the customer's whims. Lack of basic, understandable documentation. Severe lack of a coherent, well-thought architecture. Largely apocryphal comments sprinkled in the code, probably mostly out-of-date and inaccurate. No unit tests, no automated builds. A test team working on a Frankenstein system comprising multiple web services and multiple db's, all the while claiming that a test sprint can be done in 1 hours' time. Argh, and don't even get me started on the misinformed decision to use Seasar2, which itself suffers from extremely poorly written documentation, even in its home language of Japanese.

So I've been suffering from recurring headaches, lately. The cause? Me banging my head on my desk, asking futilely, "Why, o dear lord, why?"

What is this global variable doing here? *wham*
Why is this method duplicated in several objects, but in different, unrelated packages? *wham*
Why are there 2 classes in separate packages but of the same class name that at a functional level are almost, but not quite, completely different from each other? *wham!*
Who the #$%! wrote this code??? *wham!!*
What the #$%! was he thinking??? *wham!!!*
What blockhead decided against unit-testing and automated builds?! *wham!!!!*

When I am coding, I often talk to myself. A lot. So much that the people that sit near me at my traditionally laid out Japanese office mention it. They mention it quite often, actually. And I find that if I am in fire-fighting mode, trying to fix code written (nay, slapped together??) by others, then I find that I begin to swear out loud. A lot.

Hallucinatory soliloquy? Generalized anxiety disorder? Just a tad schizophrenic? Tourette's?

No, none of the above. Not according to the Scientific American article Why the #$%! Do We Swear. No, I think the increase in my swearing out loud is in direct proportion to the amount of stress and frustration I am feeling at that time, and this outward vocalization is really helping me to relieve the pain I am feeling. It's a coping mechanism.

A brief excerpt:

The study, published today in the journal NeuroReport, measured how long college students could keep their hands immersed in cold water. During the chilly exercise, they could repeat an expletive of their choice or chant a neutral word. When swearing, the 67 student volunteers reported less pain and on average endured about 40 seconds longer.

...

How swearing achieves its physical effects is unclear, but the researchers speculate that brain circuitry linked to emotion is involved. Earlier studies have shown that unlike normal language, which relies on the outer few millimeters in the left hemisphere of the brain, expletives hinge on evolutionarily ancient structures buried deep inside the right half.

One such structure is the amygdala, an almond-shaped group of neurons that can trigger a fight-or-flight response in which our heart rate climbs and we become less sensitive to pain. Indeed, the students' heart rates rose when they swore, a fact the researchers say suggests that the amygdala was activated.

So you see, I am just trying to soothe my #$%! pain. I'm just trying to work it on out. Hell yeah, I can feel that dull ache receding...

Networking and FreeBSD 7.1 on VirtualBox

noreply@blogger.com (Buruzaemon) — Sun, 26 Apr 2009 15:16:00 +0000

Quick tip if you're installing FreeBSD on VirtualBox... when configuring networking, be sure to select the PCnet-PCI II (NAT) adapter.

I was bored this Sunday evening, so I decided to install FreeBSD 7.1 alongside my virtualized Linux distros (CentOS 5.2 and 5.3), plus I still have OpenSolaris around). Having just installed Linux this morning, I mistakenly selected the PCnet-FAST III (NAT) adapter, and was scratching my head for the better part of half an hour when I found I couldn't SSH into my shiny new FreeBSD install.

The more you know...

CentOS 5.3 on VirtualBox

noreply@blogger.com (Buruzaemon) — Sat, 25 Apr 2009 22:10:00 +0000

CentOS 5.3 was released last month, and I finally got around to adding that to the list of virtualized OSs I have running on VirtualBox.

Install was easy as usual. Since I again installed a handful servers and development tools, along with Japanese Language Support, I ended requiring all 6 of the CentOS 5.3 install ISO image files. No need to burn them to CD-ROM, just mount the files using Devices -> Mount CD/DVD-ROM in the VirtualBox main window menu.

Did the normal preflight check: ensured that SELinux is on and enforcing (you can switch this off if all you're doing is developing locally, but it helps to understand how SELinux works if you will be using it in production); disabled services not needed when running virtually (anacron, bluetooth, cups, hidd, pcscd, xfs); double-checked to see that root access is disabled for sshd; and I only open ports for SSH and HTTP/HTTPS in iptables (again, you can always configure more open ports as needed, like for accessing a database or whatnot).

Lastly, I installed the VirtualBox guest additions for Linux. Nothing special here, just follow the instructions in the User Manual. The long and short of follows below.

First, we install the packages necessary for installing the Linux guest additions:


# yum install gcc -y
# yum install kernel sources -y
# yum install kernel-devel -y
# shutdown -r now

Next, mount the VBoxGuestAdditions.iso file per section 4.3.1 Installing the Linux Guest Additions in the User Manual.

Then, all that's left is:


# mkdir /tmp/cdrom
# mount /dev/cdrom /tmp/cdrom
# sh ./VBoxLinuxAdditions-x86.run
# shutdown -r now

Hey, presto! In the messages displayed in the console at startup, you will see that VirtualBox Additions is also starting up now. Good to go. And not that much different from my previous post on guest additions with CentOS 5.1.

I should also add that there wasn't any need to first install gcc and dkms, since those packages were already included in the installation. Caveat emptor.

Robotic Penguins!!!

noreply@blogger.com (Buruzaemon) — Thu, 23 Apr 2009 05:28:00 +0000

Is this not sweet, I ask you?

Learning from Failure, or There Goes My Golden Week Vacation

noreply@blogger.com (Buruzaemon) — Thu, 23 Apr 2009 01:24:00 +0000

As a systems architect, I must concern myself with project management issues. Every now and then, I like to check my head and reread a wonderful blog post from Reg Braithwaite on What I've learned from failure. I printed up a copy and keep it in my notebook so that I can pull it out and read it on my train ride.

This is a timely topic for me as I now find myself only a week away from the big Japanese Golden Week holidays facing the ugly and imminent possibility that I will have to drag my carcass into the office during the holidays to assist another project team that are in the unenviable position of being smack dab in a "project out of control".

This project is rather high-profile and very important for my current employer. Being an outsider to this project, I don't know anything about how it got to this state. Only three weeks before going public, with a large string of national holidays right at the end... Doesn't that sound like project management wasn't working properly? And it always just slays me when I see that the only solution upper management can come up with is to toss more people at the problem by asking them to come in over the vacation. Urgh, I am having flashbacks of Lumbergh in Office Space: "m' yeah, I'm gonna need you to come in on Saturday..."

Close your eyes, take a deep breath, and repeat this mantra after me: Adding manpower to a late software project makes it later. Fred Brooks is spot on there. I feel like I should bring my copy of The Mythical Man Month in to the office and start whacking people across their faces with it.

So here's the punchline for today... what have I learned from failure?
People just never learn, that's what.

Closing note: It just so happens that there was a recent thread on /. on project management. Great comments, especially from myvirtualid.

Python: Very Pleasant Language, Indeed

noreply@blogger.com (Buruzaemon) — Tue, 21 Apr 2009 02:36:00 +0000

Time.com 100 Most Influential People of 2009 Poll Hack

noreply@blogger.com (Buruzaemon) — Tue, 21 Apr 2009 01:29:00 +0000

Great bit describing a hack to write out a not-so-hidden message in the Time.com 100 Most Influential People of 2009 poll.

As of 10:30, 2009/04/21 Tuesday, the message was being garbled --- check it out here ---, but the hack is still pretty funny. At the very least, don't allow HTTP GET for any sort of non-idempotent operation.

Google Researchers Propose New-and-improved CAPTCHA?

noreply@blogger.com (Buruzaemon) — Tue, 21 Apr 2009 00:50:00 +0000

Well, here's an interesting article on Google researchers and their new proposal for improved captchas.

I really hesitate when it comes to captchas, whether it be from the user's perspective or the architect's. Present-day implementations are often too difficult or troublesome to deal with, and on the flipside, are all too often easily defeated by employing underpaid serfs in a sweatshop. But the gist of the article is that the new proposed captcha is image-based, which is great since text-based challenges have many shortcomings (language-dependent, requires text input).

I hope that Google can roll out some kind of library or package for this idea, it sounds pretty solid.

Tsubaki Shampoo and Sex... Wax

noreply@blogger.com (Buruzaemon) — Mon, 20 Apr 2009 13:55:00 +0000

Ah, my memories are all coming back to me now. I know why I like Shiseido's Tsubaki Red shampoo so much...

It brings me back to the day I bought my first bar of Mr. Zog's Sex Wax!

XKCD: Students

noreply@blogger.com (Buruzaemon) — Wed, 18 Mar 2009 21:18:00 +0000

Can you believe, I actually still see this dream every so often?

Skinny Times Are A'Coming

noreply@blogger.com (Buruzaemon) — Tue, 28 Oct 2008 13:35:00 +0000

I am sitting at the dining table, pecking away at this post while wolfing down some instant noodles. I just got back from company enkai where I really understood for the first time how grave the situation is at work. What with the grim economic circumstances unfolding worldwide, even here in Sapporo, skinny times are a'coming.

It is time to bear down, re-evaluate your skills and knowledge, tap your social networks, and plan for the worst. With the sinking of Lehman Brothers just the tip of the iceberg, soaring fuel and food costs and the coming winter mean that I will have to work a bit harder and a lot more smarter to protect my family.

S0, just how do I know that my company is in for some skinny times and stormy weather?

Tonight's party menu, that's how. Or rather, the lack thereof.

Normally, an enkai for welcoming new employees should be a fairly filling affair. It is fall, so that should mean a nice, hearty nabe hot-pot, with extra dishes of skewered meats or sashimi, salads, and the like. But tonight? There was only:

a small nabe hot-pot, 1 serving per person, with cabbage, mushrooms, and ground chicken dumplings
1 yakitori skewer
1 tsukune ground chicken skewer (very tiny)
a sparse green salad
tiny, tiny fried chicken nugget-lets (I mean, tiny!)
vinegared sushi rice (w/out much in the way of anything added to it)
a dry piece of cake for dessert

Granted, it was an all-you-can-drink-for-2-hours sort of deal, but after a hard day coding, I was looking forward to sitting down to a real meal. Seeing as how such a meal could not be afforded given the financial situation, I fear that expanding the staff at this point is probably folly. And any grandiose ideas for transforming the company from a software sweatshop into a real service-oriented enterprise should have been put into execution last year.

Already, there is blood in the water for IT in Sapporo. A local Sapporo IT company called Den-nou (電脳, but their website is already down) just sank last week, and I reckon that it will not be the last. As far as I can tell, practically all IT in Sapporo have the same weak business model (bid as low as possible on jobs in Tokyo or Osaka, agree to unrealistic schedules, and work the crap outta your staff; lather, rinse, repeat). With practically nothing to discern one company from another, I expect that the same fate that befell Den-nou is what await many other Sapporo IT shops, including the one in which I am stuck.

But I am a chameleon when it comes to careers, a trapeze-swingin' kind of guy. I think it may be time to reinvent myself. Of course, I love coding way too much to give up that easy. But extraordinary times call for extraordinary measures.

Be prepared. Skinny times are a'coming.

Weebl and Bob - Destroy (archived on YouTube)

noreply@blogger.com (Buruzaemon) — Sat, 27 Sep 2008 11:36:00 +0000

Hilarious parody of Ladytron's Destroy video. Apparently, the creators of Weebl and Bob got flak for making this, and British laws are not permissive enough to allow this. Thank god for YouTube.

Link to thread discussing the cease and desist order here...

It's too bad that someone doesn't have a sense of humor.

Java Implementation Loader Error in Deploying OpenOffice Add-On Project

noreply@blogger.com (Buruzaemon) — Thu, 28 Aug 2008 13:25:00 +0000

My interest has been piqued lately: I am curious about developing applications in the OpenOffice framework, using the OpenOffice SDK.

Anyhow, I had some trouble getting the Add-On project tutorial going. Nothing serious, but I just couldn't deploy the add-on for "Could not create Java implementation loader" errors. Yeah, I didn't have a clue as to what that meant.

But with a bit of googling, I found this thread, which pointed me back to this page on the OpenOffice wiki. The solution is right there, in 2. Possible Work-Arounds. I quote:

This usually happens when one wants to debug Java in the office process and therefore has provided the debug options for Java in the options dialog. The Java service of the extension will be registered in a separate process (uno.exe) which also needs to start Java. This Java uses the same settings from the options dialog.
...
If there is also a Java running in the office process, then the creation of the virtual machine in the second process will fail. The reason is, that the latter receives the same debug settings. It appears that two virtual machines, although in separate processes, cannot use the same port for debugging. If one changes the port number before adding the extension (and after the Java has been created in the office process), then the extension will be installed properly.

Urgh. I installed OpenOffice with its own JRE, but I am using Java SE 6 Update 10 RC as the default environment in my NetBeans IDE (I am also dabbling in JavaFX!). I surmise, however, that when I use the Project View -> Project Node -> Context Menu -> Create OXT | Deploy Office Extension in NetBeans to launch the project deployer, it accordingly uses the environment settings of the NetBeans JRE/JDK the project is using, and not the JRE that comes packaged with OpenOffice.

So, to make a long story short... In WinXP, locate your user's C:\Documents and Settings\%user%\Application Data\OpenOffice.org2, and just delete it. Re-launching/re-deploying the OpenOffice Add-On project will just work. You'll have to change your Windows Explorer settings to display all hidden directories and files.

Mathematicians (nah, I'm not really a mathematician)

noreply@blogger.com (Buruzaemon) — Thu, 28 Aug 2008 03:48:00 +0000

Which reminds me of the following joke:
An engineer, a physicist and a mathematician were all staying in a hotel, when each of their rooms individually caught fire. The engineer did some basic math, flooded the floor and said, "It is out." The physicist did more complicated math, used just precisely the amount of water needed to put out the fire and said, "It is out." The mathematician did a lot of complicated math, cried out, "I HAVE SOLVED IT!" and went back to bed.

... think I saw the above joke on /.

RSA Encryption: OpenSSL to Ruby to C# (and back to Ruby)

noreply@blogger.com (Buruzaemon) — Wed, 27 Aug 2008 12:54:00 +0000

Continuing on the topic of encryption, it turns out that the work project I mentioned in my last post will require transmission of encrypted data from C# to Ruby. As this encrypted data must only be decrypt-able by the Ruby-side logic, asymmetric encryption fits the bill well. Here are some notes on working with RSA public key encryption with OpenSSL to generate the RSA key-pair; Ruby/OpenSSL to extract the public key parameters to feed the C# RSACryptoServiceProvider; C# to use the public key to encrypt an arbitrary array of bytes; and finally back to Ruby/OpenSSL to decrypt the enciphered data with the private key.

Now, I will consider that trust between the C# logic and the Ruby/OpenSSL logic is implied, so there is no need for use of X.509 certificates or what-not to distribute the public key to the C#-side. I will instead use the RSACryptoServiceProvider's FromXmlString method to initialize the provider with the key modulus and exponent. Practically speaking, I would have to obtain the key modulus and exponent (most likely using Ruby/OpenSSL), and then serialize that in an XML form that the C# class RSACryptoServiceProvider understands.

RSA Private Key Generation with OpenSSL
OK, let's start off by first using OpenSSL to generate a 512-bit RSA private key:


... with OpenSSL command-line ...

... generate RSA private key (default of 512-bits)
shino# openssl genrsa -out rsa.priv

... confirm key parameters
shino# openssl rsa -in [rsa.priv] -text -noout

Simple enough, no? And once again, yeah, yeah, yeah: a 512-bit RSA key cannot do much in the way of protecting secrets. Cracked way back in 1999. But let's just agree to go with 512-bits for the sake of this post. BTW, don't forget that you will have to take into account any steps needed to protect this RSA private key file. I leave that exercise to you, dear reader.

Obtain Key Modulus & Exponent Parameters with Ruby/OpenSSL
Next, we use Ruby/OpenSSL to read in our newly-created RSA private key and obtain Base64-encoded string values for key modulus and exponent for the RSACryptoServiceProvider's XML string (we will use those values to calculate the public key in C#-land shortly):


# with irb/ruby/openssl

# use ruby/openssl to load private key
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> require 'base64'
=> true
irb(main):003:0> privkey = OpenSSL::PKey::RSA.new(File.read('rsa.priv'))

# extract key exponent and Base64-encode
irb(main):004:0> exp = []
=> []
irb(main):005:0> pubkey = privkey.public_key
irb(main):006:0> pubkey.e
=> 65537
irb(main):007:0> (pubkey.e.num_bytes-1).downto(0) {|i| exp << ((pubkey.e >> (i*8)).to_i & 0xFF) }
=> 2
irb(main):008:0> exp
=> [1, 0, 1]
irb(main):009:0> tmp = []
=> []
irb(main):010:0> tmp[0] = exp.map {|b| sprintf("%02x" % b) }.join
=> "010001"
irb(main):011:0> Base64.encode64(tmp.pack('H*')).split("\n").join
=> "AQAB"

# extract key modulus and Base64-encode
irb(main):012:0> pubkey.n
=> 10859685957917547658301583853465231245284761442925449111820039202653087969032
48227098143938496267490334944907126548361037059959257154028677097618826672949
irb(main):013:0> (pubkey.n.num_bytes-1).downto(0) { |i| mod << ((pubkey.n >> (i*8)).to_i & 0xFF) }
=> 63
irb(main):014:0> mod
=> [207, 89, 10, 12, 14, 23, 85, 80, 200, 210, 18, 182, 229, 231, 180, 219, 103,
58, 118, 47, 162, 38, 14, 74, 94, 114, 192, 69, 174, 176, 175, 140, 177,
230, 202, 21, 102, 169, 66, 199, 161, 128, 61, 223, 167, 210, 168, 145, 51,
164, 94, 120, 73, 250, 100, 8, 7, 56, 185, 23, 28, 157, 59, 53]
irb(main):015:0> tmp = []
=> []
irb(main):016:0> tmp[0] = mod.map {|b| sprintf("%02x" % b) }.join
=>"cf590a0c0e175550c8d212b6e5e7b4db673a762fa2260e4a5e72c045aeb0af8cb1e6ca1566a942c7a1803ddfa7d2a89133a45e7849fa64080738b9171c9d3b35"
irb(main):017:0> Base64.encode64(tmp.pack('H*')).split("\n").join
=> "z1kKDA4XVVDI0hK25ee022c6di+iJg5KXnLARa6wr4yx5soVZqlCx6GAPd+n0qiRM6ReeEn6ZAgHOLkXHJ07NQ=="

A good point to bear in mind here is that for Ruby/OpenSSL, the key parameters are instances of OpenSSL::BN, which represent big numbers for OpenSSL for multiprecision integer arithmetics. OpenSSL::BN.num_bytes tells us how many bytes are used to represent a key parameter, and then in order to transform the big number into an array of bytes, we can pass a block that uses a bit mask to obtain the significant bits for each byte of the big number. Then, we transform the byte values in this array into 2-char hexadecimal strings, and concatenate into one, long string of hexadecimal chars. Stuff that into a temporary array, call pack('H*') on the array, remove any line-break chars, and then we Base64-encode the values for modulus and exponent.

Encryption Using RSA Public Key with C#
OK, so we have our 512-bit RSA private key, and we have extracted the key modulus and exponent values as Base64-encoded strings, which we can now pass to C#'s RSACryptoServiceProvider in order to obtain the public key:


using System.Security.Cryptography;
...

RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
rsa.FromXmlString("
 <RSAKeyValue>
     <Modulus>         
        z1kKDA4XVVDI0hK25ee022c6di+iJg5KXnLARa6wr4yx5soVZqlCx6GAPd+n0qiRM6ReeEn6ZAgHOLkXHJ07NQ==
     </Modulus>
     <Exponent>
        AQAB
     </Exponent>
 </RSAKeyValue>");

Note that the XML string really shouldn't have any line breaks, I only broke it up to for viewing's sake.

The next step is to encrypt some arbitrary data, which we take to be an array of bytes. Be sure to Base64-encode the result, since we will pass that string over to the Ruby/OpenSSL side.


... in C# ...

byte[] cipherbytes = rsa.Encrypt(plainbytes, false);
String ciphertext = Convert.ToBase64String(cipherbytes);

Gotta love C#, the APIs are for the most part crystal clear and user-friendly.

Decrypt Ciphertext with RSA Private Key with Ruby/OpenSSL
Alright, now we just need to bring it all home, and decrypt that ciphertext string with the RSA private key, using Ruby/OpenSSL:


# with irb/ruby/openssl again

# read in private key from file
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> require 'base64'
=> true
irb(main):003:0> privkey = OpenSSL::PKey::RSA.new(File.read('rsa.priv'))

# Base64 decode the transmitted ciphertext first
irb(main):004:0> ciphertxt = Base64.decode64("RALJTqgPNRcmvZ4E09y4NODl+w/vJPRslmxi8xB9JPSrpDQ
bKjOkoeivTOqL9gT4WBpRpIlqut3jflkcUy/5Qg==")
=> "D\002\311N\250\0175\027&\275\236\004\323\334\2704\340\345\373\017\357$\364l\
226lb\363\020}$\364\253\2444\e*3\244\241\350\257L\352\213\366\004\370X\032Q\244\
211j\272\335\343~Y\034S/\371B"

# decrypt w/ private key
irb(main):005:0> plaintext = privkey.private_decrypt(ciphertxt)
=> "Ru'\035\314`\f\352"

# reconstitute as plain byte array
irb(main):006:0> plaintext.unpack('H*')[0].scan(/../).map{|b|b.hex}
=> #... results in the original array of bytes which we encrypted in C# land!

Conclusion
That wasn't so bad now, was it? We created an RSA private key with OpenSSL, used the Ruby/OpenSSL binding to manipulate the key to extract the key modulus and exponent (the public key material), and fed that into some C# code. This allowed us to encrypt an arbitrary array of bytes with the RSA public key in C#-land, and then we wrapped it up by decrypting the ciphertext with the corresponding RSA private key with Ruby/OpenSSL.

Like I mentioned in my last post, it is the lack of clear documentation for the Ruby/OpenSSL API that can trip you up. However, hackable nature of Ruby made it fairly painless to explore and experiment, and to come up with the above example of RSA asymmetric encryption using OpenSSL, Ruby and C#.

DES encryption: Java to OpenSSL to Ruby

noreply@blogger.com (Buruzaemon) — Mon, 25 Aug 2008 21:19:00 +0000

Encryption has always been an interest of mine, but I really don't have mad skillz. I must admit that I ran into a bit of difficulty in trying to figure out how to properly use the OpenSSL API for Ruby, but what do you expect? The documentation is frustratingly poor.

In parallel with an ongoing project at work, I took some notes on using DES encryption with Java to generate the proper bits for a DES key; OpenSSL to actually use this key to encrypt some file; and then use Ruby/OpenSSL to decrypt. I know, I know: DES has been cracked for some time now. But this an exercise just to see if I could bring together what little acumen I possess in Java, Ruby, and OpenSSL.

Here's how I did it for DES using the Cipher Block Chain operation mode. Note that the DES key and initialization vector are being passed from Java to OpenSSL to Ruby as a string of hexadecimal char, but in reality we are dealing with bytes.

First, we create a valid DES key and set of initialization vector bytes. From the Federal Information Processing Standards Publication 46-2, the specification for the Data Encryption Standard (DES):

A key consists of 64 binary digits ("O"s or "1"s) of which 56 bits are randomly generated and used directly by the algorithm. The other 8 bits, which are not used by the algorithm, are used for error detection. The 8 error detecting bits are set to make the parity of each 8-bit byte of the key odd, i.e., there is an odd number of "1"s in each 8-bit byte.

We'll use Java and the javax.crypto.KeyGenerator factory to create a valid DES key and initialization vector:


// in Java

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;

...

public static void main(String[] args) throws Exception {
     // create a DES key
     KeyGenerator kg = KeyGenerator.getInstance("DES");
     SecretKey key = kg.generateKey();
     byte[] keyBytes = key.getEncoded();
     StringBuffer sbuf = new StringBuffer();
     for (byte b : keyBytes) {
         sbuf.append(String.format("%02x", (b & 0xFF)));
     }
     System.out.println("DES key: " + sbuf);
  
     // create initialization parameter bytes
     Cipher nonceCipher = Cipher.getInstance("DES/CBC/PKCS5padding");
     nonceCipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(new byte[8]));
     IvParameterSpec iv = new IvParameterSpec(nonceCipher.doFinal(new byte[8]), 0, 8);
     byte[] ivBytes = iv.getIV();
     sbuf = new StringBuffer();
     for (byte b : ivBytes) {
         sbuf.append(String.format("%02x", (b & 0xFF)));
     }
     System.out.println("IV: " + sbuf);
 }

The above Java code will output a string of 8 bytes in hexadecimal for the DES key, and also a string of 8 bytes in hexadecimal for the initialization vector to be used in CBC. We next use this as input for the openssl enc program:


... with OpenSSL command-line ...

shino# openssl des-cbc -e -in plaintext.txt -out encrypted.des-cbc \
         -K [java-generated DES key string] -iv [java-generated IV string]

The above OpenSSL command will encrypt the file specified with the -in option, using DES-CBC with the given -K DES key and -iv initialization vector. The values for -K and -iv need to be a string of 8 bytes given in hex. Encrypting the plaintext file plaintext.txt will then result in the output encrypted.des-cbc. By the way, this OpenSSL command is using PKCS5 padding as default.

To decrypt with ruby/OpenSSL was a bit tricky. Like I mentioned earlier, the documentation is very, very poor. Assuming that the DES-CBC encrypted file encrypted.des-cbc exists in our current working directory, we can fire up irb to do the decryption and bring it all home:


# with irb/ruby/openssl

# given key = "838519bcc21fb0a1"
# given iv  = "33bc52494428f4b6"
# given plaintext msg = "hello, encryption!\n"

irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> f = File.open('encrypted.des-cbc', 'rb')
=> #<file:encrypted.des-cbc>
irb(main):003:0> data = f.readline
=> ...
irb(main):004:0> f.close
=> nil
irb(main):005:0> decrypt = OpenSSL::Cipher::Cipher.new('des-cbc')
=> #<openssl::cipher::cipher:0x4417d60>
irb(main):006:0> decrypt.decrypt
=> #<openssl::cipher::cipher:0x4417d60>
irb(main):007:0> decrypt.key = "838519bcc21fb0a1".scan(/../).map{|b|b.hex}.pack('c*')
=> "\203\205\031\274\302\037\260\241"
irb(main):008:0> decrypt.iv = "33bc52494428f4b6".scan(/../).map{|b|b.hex}.pack('c*')
=> "3\274RID(\364\266"
irb(main):009:0> decrypt.update(data) + decrypt.final
=> "hello, encryption!\n"

Here, we use irb to open the encrypted file and read in the bytes. Then, we use the ruby/OpenSSL API to create a DES-CBC cipher. The call to Cipher.decrypt sets the cipher to work in decryption mode. We next specify the DES key and IV initialization vector, as well as the string of encrypted chars as binary strings.


# ruby snippet
"838519bcc21fb0a1".scan(/../).map{|b|b.hex}.pack('c*')

In setting the key and iv, we provide a 16-char long string of hexadecimal that represents 8-byte values. The above invocation uses String.scan(/../) to break the hex string into a list of 2-char long chunks. Enumerable.map { |b| b.hex } then maps each 2-char hex chunk back into its numerical (byte) equivalent. Array.pack('c*') lastly transforms the entire list into a single binary sequence. The documentation for Cipher.key= and Cipher.iv= is none too clear that both APIs expect a binary string. I spent quite a bit of time scratching my head as I was mistakenly passing in the plain-vanilla hexadecimal strings for the key and iv values.

Anyhoo, as you have seen, it is not all that hard to do a round-trip DES-CBC encryption using Java to generate the key and iv; OpenSSL to actually encrypt the plaintext; and ruby/OpenSSL to decrypt.

BTW, this doc page in Japanese was a bit more helpful in pointing me in the right direction.

The Hokkaido Bank predicts 57K JPY increase per household for winter expenses

noreply@blogger.com (Buruzaemon) — Mon, 25 Aug 2008 11:42:00 +0000

A article in yesterday's Hokkaido Shimbun Press reports that the Hokkaido Bank expect an increase of 57000 JPY per household of expenditures on gasoline, kerosene, and other expenses related to winter. This figure is based on a recent Hokkaido Bank study that predicts a gross 134.6 billion JPY increase in winter expenditures for the coming 2008 season. To make things worse, this study does not take into account effects of the expected increase for electricity rates.

This seemingly downward spiral is certainly straining things for all people living in Hokkaido. Food, fuel and utilities like electricity all have been rising steadily. Personally, this has been weighing heavily on my mind as of late, as I am contemplating another career jump in order to keep up with all of the price-increases and keep my family afloat.

I never really wanted to believe it, but the IT business here Hokkaido is starting to look very ghetto to me. There are a handful of good people, but most companies are pursuing a very conservative (read that as "weak" if it cannot let their employees stay ahead of inflation!) business plans for systems integration, made-to-order development, or call center and support.

It may have been a mistake to tie myself directly to the local economy, so I am actively looking for opportunities and challenges that are more global and dynamic. Lord knows, there are a tons of such jobs in Tokyo...

Dan Kaminsky Finally Outlines DNS Vulnerability

noreply@blogger.com (Buruzaemon) — Thu, 07 Aug 2008 03:59:00 +0000

Dan Kaminsky finally outlined the DNS vulnerability that was reported about 4 weeks ago (article on The Register). It appears to be a DNS forgery variant of DNS cache poisoning. If an attacker of a DNS server can quickly and correctly guess a 16-bit transaction ID, then the attacker will be able to replace DNS entries with their own spoofed ones. There has been one confirmed attack so far, where the attacker caused AT&T subscribers to be re-routed to fake Google pages.

For the curious, you might want to see how safe your ISP's DNS servers are. Try the "Check My DNS" button on Dan Kaminsky's site; or the "Test My DNS" link here. The key here is to see the amount of randomness of transaction IDs and query source ports in your ISP's DNS servers.

Hacking FasTrak

noreply@blogger.com (Buruzaemon) — Thu, 07 Aug 2008 03:29:00 +0000

I've never used the FasTrak debit system for the tollways in California when I lived there, but The Register recently reports that an exploit has been found. I can't believe that FasTrak apparently transmits its unique ID number in the clear.

Not that I use it here, but I wonder what sort of vulnerabilities and countermeasures exist for the Electronic Toll Collection (ETC) system in Japan. Or おサイフケータイ services for the mobile devices used in Japan.