Thursday, December 27, 2007

Revolution Lies Within !

I have been reading many of Steve Yegge's posts lately. Most of his posts that I have read, are in essence (and this is related to programming):
1) Think about your work.
2) Improve the depth of your knowledge by learning more on the subject.
3) Improve your programming wisdom by training yourself in various tools/languages.
4) Improve your maths, learn as much maths as you can.

The first two points are generic in nature. Even the third is generic if you try to understand the meaning at its core. The fourth one would be a bit surprising for many people but it is in fact the most radical of those points. This does not mean others aren't important but this one is an unorthodox advice. I want to talk here about the last two thoughts, as everyone is familiar with the first two (even if they don't follow them ;-).

You can have a look at the posts (and I really recommend you to go and read them).
Math For Programmers
Rich Programmer Food
Software Needs Philosophers
Execution In The Kingdom Of Nouns
Ten Challenges
Tour De Babel
Being The Averagest
Practicing Programming
Math Everyday

As I said earlier, the third one is generic too because it illustrates the importance of being open-minded, unprejudiced, unbiased. Here are some quotes (I found them on an interesting blog by Reg Braithwaite and they quite illustrate the third point),

Programming languages teach you not to want what they cannot provide. - Paul Graham, ANSI Common Lisp

An “X programmer”, for any value of X, is a weak player. You have to cross-train to be a decent athlete these days. Programmers need to be fluent in multiple languages with fundamentally different “character” before they can make truly informed design decisions. - Steve Yegge, Code's Worst Enemy

What I can conclude from reading these opinions and myself having a small look at functional programming is, that you definitely need to learn many different programming languages with different paradigms. You do not want to be one of those five blind men with the elephant, isn't it ? And, I really hate it when I see people raving over Java. I am not a Java-hater, though the language has got its own problems as many other languages do. I hate the sickening attitude of those Java-philes, because they look like a bunch of zombies to me. Zombies, zombie-d by Java, fanatically convinced of Java the Panacea, who have built a wall of 'bytecodes' around them and pretend that this enclosure with what it encloses is all that there is. Most of them are newcomers and less-experienced, as those who have been deep into the rabbit-hole of Java surely know that all is not well. Now, you may question my experience as I myself don't have years of experience behind me and that's perfectly valid. However, you have got to pay attention when senior programmers (those who have been there for more than a decade) point out problems with your current favourite language. As when Alexander Stepanov, the implementer of C++ STL and a hugely respected guru of generic programming, said the following:
"I find OOP technically unsound."
"I find OOP philosophically unsound."
"I find OOP methodologically wrong."
"I have yet to see an interesting piece of code that comes from these OO people."
"I think that object-orientedness is almost as much of a hoax as artificial intelligence."

When all you know is language X, you will fire up code without thinking whether X is a good candidate to solve the problem at hand. You will think in the terms of X, you will try to fit the problem into the mold of idioms of X, into a particular paradigm. When the only tool that you have is a hammer, everything looks like a nail.

Coming to the fourth point, its really appalling to see that people just don't know or want to do maths. Whatever they learned, software jobs have washed it out of their minds. Its a great loss and they don't realize it. As an example of why should you study some maths, consider that you have a new problem at hand. Now, most perhaps you will come up with a simple, naive solution to it and use that. This will show up as a problem when considering the efficiency of your application. Had you known some maths, you might have tried optimizing or finding a better solution to the problem. You can say that you can workaround this problem by doing a search on algorithms for such a problem. However, that's not very easy unless you follow points 1 and 2 listed above. Also, in the worst case it may be a new kind of situation and then you are left helpless. If you knew maths, you could try to formulate the problem in some mathematical models you knew, and try developing a better solution. Most wonderful would be the situation where you could model it from scratch and develop a solution. As a more practical example, suppose you had some algorithm (or data structure) which work on the kind of problem you have at hand, but the problem isn't directly fitting into the domain of those algorithms or data structures. You could tweak the data structure or algorithm to fit into your requirements, you could analyze the costs involved ... all possible if you knew maths. Computer Science at a fundamental level is maths.

People with engineering degrees from reputed institutes should be more technically-oriented rather than running for those management courses or jobs (its entirely my opinion). It just doesn't feel right to me. Our country needs a lot of technically skilled people to carry it into the league of advanced nations. The fire of real progress is going to be ignited through science and technology, not through management. Management makes sense only when you have some strong foundation, real growth and progress. So many managers and not enough technically-skilled people is a sure recipe for continuing to be the copycats that we are today. Little wonder why we don't have world-class software products, cutting-edge technology.

Ok, let me wind up. Forget Java or C++ or Ruby, the point is that you need to have an introspection session regularly, where you stop working in the routine manner, and you try to think. Try to think whether you are on the right track, are you working with an open mind, is there something you are missing in your toolset, is your language really giving you what you want, do you need to know a new area of maths ... questions like these. I feel that this kind of checkup and acting upon the conclusions from it honestly, can make us wiser and help us grow.

Wednesday, December 12, 2007

On Happyness and Generators of Groups

It usually happens to me. There are days when all I can think about is completing the work at hand or about my course of action for coming days. So I just keep on reading stuff, finishing assignments, preparing for exams, working on some of my ideas, dreaming and day-dreaming about rosy career-prospects ;-) ... and then somewhere in the middle of it, I realize as if I am trying to run as fast as I can without enjoying what the 'present' has to offer to me. It doesn't look very good and then I try to take a sort of small break and as a result some funny ideas come to my mind. So, this is a recollection of one of the recent such moments I had.

I was trying to learn some functional programming few minutes before this break that I mentioned. I pondered over the reason of why I wanted to learn functional programming. I answered, "because that would make me a better programmer". Okay, but why do I want to be a better programmer ? I answered, "because I love programming and it's really cool to know that you have learned something important, you have enhanced your skill, you have a wider perspective". Fine, but then I questioned, why does it matter really that I have gained a broader vision about programming a solution to a problem. To cut the chase, it finally dawned on me that the reason was "Happyness" (yes, that spelling is borrowed from the movie). Moreover, it dawned on me that in fact, Happyness was the answer if you started to ask questions and reduce your pursuits to some fundamental reason. I am very sure on this that everyone of us can apply this method of reasoning to themselves and the answer will inevitably turn out to be Happyness. It may be studying maths, working hard on your tennis games, practicing new moves in chess, staying late at office to finish some task ;-) ... whatever.

Well, that's half the story. A remarkable characteristic of human mind is that it's working is strongly based on patterns and it learns a lot through drawing analogies. Surprisingly, a strange analogy struck me in regards to the above mentioned stream of thought. Let me now bring you to the topic of groups and generators which will help you understand my crazy analogy.

Algebra is a beautiful subject indeed. It represents an example of what the mainstream mathematics of today looks like, which is, abstract. Yes, modern mathematics is hugely abstract in nature. It may surprise some people as mostly it is thought to be involving calculations. In fact, this was the scene a few centuries back. However, over the course of time, the emphasis has moved from computing to understanding, which brings in abstractness. Don't misinterpret me in that there was no understanding involved in mathematics a few centuries back. It's just that mathematics then was mostly used as a tool to calculate answers to problems, mostly physics-related. What happened that mathematicians studied some related problems and then in the process of study, refined their results more and more to some basic essentials, which became the abstract theories of mathematics we have today. In Algebra, we study mainly algebraic systems (such as groups, rings, fields), which simply put are, a set of objects together with some operations for combining them.

Which brings us to Groups. Now, I am not going to bomb you with heavy mathematical definitions. I will try to explain to you in as much a layman-style as possible. Consider the set Z11={1, 2, 3, 4, 5, 6, 7, 8, 9, 10}. Now, we will add an operation to this set ... it's multiplication (and you thought it was going to be some Lebesgue integral over the norms of the p-adic variation of this group !). Yes, plain old multiplication but with a little twist, it's called multiplication modulo 11 (in general modulo n). This is nothing complicated, all you have to do is that whenever you multiply any two numbers in the set Z11, you take the remainder of product divided by 11 as your result. For example, 2 x 6 = 1, because you take the remainder of 12 divided by 11. Similarly, 3 x 5 = 4, 4 x 7 = 3 and so on. Guess what? We have a group at our hands and it is the pair (Z11, multiplication modulo 11). Technically, there are some other properties this pair needs to satisfy to be called a group but, I won't be going into those and you can believe me here in that this pair is indeed a group.

So, with the group at our hands, it's time to look at the element 2 in the set Z11. 2 here has a special property as does the group Z11. I am going to denote power operation by ^. Observe now. 2^0=1, 2^1=2, 2^2=4, 2^3=8, 2^4=5 (not 16, remember we divide the result of multiplication by 11), 2^5=10, 2^6=9, 2^7=7, 2^8=3, 2^9=6, and 2^10=1 again. What we have here is that a single element (2 here) generates the whole set when the operation is applied to it repeatedly. The power thing is actually 2 being multiplied with itself again and again. Thus, 2 is special and it is called the generator of the group (Z11 itself is special since it is an example of groups that have generators, many groups don't ... in fact put any prime in the place of 11, say p, and you will see that 2 is a generator of Zp).

Okay, let me get to my crazy idea that I was going to talk to you after all. Probably you might have already got it or a feeling of what it is. To kill all the hyped suspense, the idea is:

Happyness is the generator of the "group" formed over the pursuits or actions in our life.

Crappy, isn't it ? Yeah, sorry to bother you all along but let me give some reasons as to why I think so. First, you can see the strong analogy between the questioning process I mentioned and the generation of group by a generator. What I mean to say is that, each of your actions fundamentally derives from the a desire to be happy. Hence, happyness when applied to itself through an operation (that I am not very clear about) generates all your other desires, actions and pursuits. Secondly, sometimes you find that at some stage of your questioning you may have more than one reason/answer for your question. This can also be explained in the analogy if you observe that 4^2=5, 4^3=9, 4^4=3. So 4 also generates some elements but not the whole group (try it, you will know why, it's not tough). It is 2 that generates the whole group. So is it with Happyness, it is the "fundamental" generator, or in other words, the generator of the (whole) group.

Now, you may pose a valid question ... if we consider one person's desire/actions to be a group and do the same for another person, is it the case that the happyness element that they both have in their groups are the same ? I mean to say that whether when you feel happy and I feel happy (when the happyness element is expressed), is it the same feeling ? Well, I should say that analogies when carried too far or stretched too much, usually break. So, I am doubtful if this one holds. On a different note, this question is a very important one in Algebra, as it is basically the question of two groups being isomorphic (and I don't have the time to explain that here, maybe some other post :-)

"This person has gone nuts!" ... must be the thought coming to your mind, so let me say goodbye and thanks for reading.

Monday, December 10, 2007

I didn't do it, Lord screwed me !

/* crap.c */
#include "screwed.h"

int main(void) {

/* At last it's over. I am really relieved. I had my Compilers final today. It was really terrible, I have messed it up really badly, but you know what, Lord Screwed Me ;-) ... How ? Here's how :

1) Lord has not given me the strength to wake up and attend classes, especially, those that take place at 9:00 am, which was the case with Compilers class. (additional weakness: sleeping at 3:00 am)
2) Lord has not given me the strength to stay awake and focus in classes as demanding as Compilers, I dozed off half the time in those lectures.
3) Lord has not given me the wisdom to go through such tough material at least once a week so that I can feel comfortable with the concepts. I really have to wait for the finals to come for my recovery action to get started.
4) Lord has not given me the wisdom to utilize a gap of two days before the tough final, so that I can still do it better than what I did, in fact could have been much better.
5) Lord, aaaaaarrrghh ... has not given me the HUGE WISDOM to pick up question papers from the past few years and try to solve them at least. Even that would have helped me a lot.

I am such a helpless guy ! ... Lord is a big, hidden sniper who enjoys playing "Shoot the Kid" game with me ;-) ... */

return SCREWED; /* haha */
}

You must have got the story by now. So, lame excuses aside, the real point of writing this post is that I wanted to communicate to you something I have realized in the past couple of days. Compilers is a very interesting, important paper and every computer science student should try to understand it as good as they can. Not convinced ? Steve Yegge's post might give you an idea. Personally, I have read the dragon book on Compilers (Compilers: Principles, Techniques and Tools - Aho, Sethi, Ullman) in the past couple of days and I must say it's been challenging, stimulating and enlightening. It's definitely not easy but it isn't meant to be, it's not Java ;-) ... I have made a resolve: To keep on reading the book and improve my understanding of Compilers.

Tell you what, I DIDN'T DO IT, LORD SCREWED ME ! ... haha :-)

Monday, December 3, 2007

A Slightly Helpful Guide to Learning Computer Security

Yet another guide to learning computer security ! ... Yes, but this one is with a DIFFERENCE. It will reveal to you all the untold secret methods that are never there in those other laughable tutorials on the net. Even those books in market won't teach you as much content you are going to learn here, and that too at a storming pace ... you will be able to hack your school's servers, read your enemy's mails (yes, hack Yahoo!, Gmail and many other mail servers !) and more with the super-hack tools presented in this series. And, all you need to do is to help me to continue this great service to wannabe hackers like you by donating me a small amount of 100 dollars ...

;-) ... just kidding, I am not going to do any of what's mentioned above. Just to entertain you (a pathetic attempt, I admit) and sort of pun on some webpages with somewhat similar claims. My purpose in this post is to provide students and people who want to learn about computer security (with more than a passing interest), a somewhat helpful plan to do so. So let's get started.

Well, we can make a vague and not so accurate (but practical for learning purposes) partitioning of this field. That is (a) OS+Network Security (b) Web Application Security (c) Cryptography. This definitely leaves out some areas since security is a huge field. Another thing is that these categories are not disjoint sets, that is there is stuff which cannot be said to fall in any one of the categories. However, this partitioning will do, as you are embarking on the journey. Let me explain briefly what these categories mean.
(a) OS+Network Security - This covers the exploits that are targeted against the weaknesses, critical flaws in an operating system's code (like Windows or Linux or Mac) as well as network protocol implementations. So the major work here is to understand how these exploits work, finding new areas of OS, Networking code that are vulnerable and solutions to prevent the exploits.
(b) Web Application Security - This covers the exploits targeted against the web applications like browsers, mail servers, web servers. Usually, the exploits use vulnerabilities in such software to gain access to system, or to retrieve confidential data from the databases behind the servers.
(c) Cryptography - Cryptography is the science of secret storage and secure transmission of information. Various cryptosystems are used to enable the secure transmission of data over insecure channels like Internet. Now, cryptography is used both in OS and Web Security. So what I mean here is the study of cryptosystems, protocols, security of these systems, attacks on these systems etc.

Well, so that was a crap intro to the three categories. You can get much better descriptions on Wikipedia. Let's move on to a plan for study. Let me remind you, I am not giving you any methods for cracking or breaking into other people's systems. Another very important thing is the fact that you are not going to be good in this field within couple of weeks, or months. It takes lot of hard work, patience, perseverance and you would better set a time frame of a couple of years at least. Well, that doesn't mean you will be an expert in couple of years, but you will be much ahead of the crowd if you put in real effort.

Avoiding Crap Sites on the Net: Yes, there are so many of them. They will provide you with text files, webpages with hack descriptions and lots of them. The problem is that these are mostly the "script-kiddie" stuff. That is, they give you tools or methods used for hacking which have been developed by other crackers(yes, not hackers, there's a difference) and spread on the net. The problem is that you never learn why they work and you are a dead duck when they fail and maybe get you tracked down. Study good books to get your fundamentals right first.

Understanding Networking: This is really important. You got to have your networking concepts really solid to understand the field of security. Unless you know how networking works, how the protocols work, in depth, you are going to be always on the surface of this ocean. So, try to get an account at your institute's lab and practice what you learn from books. For those who are out of institute, if you can build a small LAN with your friends maybe, you can still learn most of the stuff. You could also subscribe to lots of Unix/*nix accounts (some free) out there on Internet. Yes, books:
(1) TCP/IP Illustrated Vol 1, Vol 3 - W. Richard Stevens, this is such a joy to read, the best thing being that it's not filled with only theory but also shows you all the details with tcpdump, read an practice this book thoroughly, it will enable you to understand the security issues and explore on your own. Vol 2 has a coverage of whole TCP/IP implementation, and is recommended if you want to take a really deep dive. You can manage without it usually while understanding the exploits but to design your own exploits or to tackle exploits you will need to get down to these gory details.
(2) Computer Networking by Tanenbaum is also nice but is a lot of theory, you could read it to clarify some portions and more general coverage than Stevens
(3) Internetworking with TCP/IP - Comer, haven't read it but I hear this one's also good

Understanding Operating Systems: This is really important if you want to get more into OS security. Even if you don't, it's very advisable to have a good idea of how an OS works in general. You will benefit from the knowledge in many other areas as well. The books are:
(1) OS Concepts - Silberschatz, Galvin ... this is the standard OS textbook of general nature and you would do well to read it as much as you can. It's a very clearly written book that will provide you the concepts you will need to understand more specific texts.
(2) The Design of the Unix Operating System - Maurice J. Bach ... this is a classic. It is outdated in some places but most of it is still relevant and gives you the idea underlying UNIX OS and most of its existing derivatives today (like Linux).
(3) The Design and Implementation of 4.4 BSD Unix OS - McKusick, Bostic, Karels, Quarterman ... another classic, describes the Berkeley Unix, the other major stream of Unix kernel besides the AT&T Unix.
(4) Understanding Linux Kernel, 3rd Ed. - Bovet, Cesati ... the definitive book for details of Linux kernel. Best if you read this one along with (1), covers the 2.6 kernel that is the latest major kernel version of Linux.
In fact, anyone whether he intends to get more into OS security or not should read (1), and if you want to move into details pick up (2), (3) or (4). (3) and (4) are more up-to-date. (4) has the unique advantage in that it contains some real kernel code as well as pointers in the kernel tree to where you would find the code to the topic being discussed. Another important point to note is that if you want to do security stuff, Windows or Mac isn't a very good idea, as you have limits on how much you can peek into the internals (which frankly is very less). Linux provides you complete freedom to look at everything in it, you can go through code for every part of the kernel, device drivers and do changes at fundamental levels which are not possible on Windows or Mac.

Shell Programming: You need to be good at shell programming, scripting, to carry out the tasks efficiently in Unix/Linux. Many exploits are written as shell scripts. Also they take a lot of burden by simplifying the task compared to what you would have to do if you were to write them in languages like C, C++. Books are:
(1) The Unix Programming Environment - Kernighan, Pike ... the classic and much recommended book, will give you an idea of how the good Unix programmers use the shell for their work and the power of shell. You really need to absorb this book as much as you can.
(2) Classic Shell Scripting - Robbins ... another very good and current book that will strengthen your shell programming skills.

Firewalls: For those who were waiting for more related to Web Security, this one is a really important topic. However, please note that you need good networking concepts to move into this part. Firewalls are essential to security on web today. There are so many exploits and so many firewall-building/firewall-design strategies, that it is a very demanding and enjoyable area of study in itself.
(1) Firewalls and Internet Security: Repelling the Wily Hacker - Cheswick, Bellovin ... this one's the only one I have looked at and it's probably the best book out there on the subject.

Web Application Security: I haven't read much here and most of what I know is from a few good websites. I will be lisiting a collection of websites that have good content on security in the next part of this topic. Though, I can see from reviews that following books might be good:
(1) Hacking Web Applications Exposed - Scambray, Shema, Sima ... another one from the trustworthy Hacking Exposed series.
(2) Apache Security - Ristic ... I happened to glance through the book, looks pretty good to me, reviewers seem to agree.

Cryptography: Well, this is something I am most interested about from all the three categories I mentioned. As I said earlier that what I mean by this section is the study of cryptosystems used today, the analysis of their security, attacks on them and mitigation strategies. Moreover, this part of security turns out to be heavily mathematical and algorithms-based. So if you are more hooked on to programming, OS's, networking etc. you might just want to know some basic ideas from this field and that would be fine. That does not mean that cryptography doesn't involve programming, there's programming here too, as these mathematical cryptosystems need to be implemented, that too correctly and efficiently. A very good, general, not too technical, introduction would be Simon Singh's The Codebook. For those of you who want to get into it a bit deeper, let me remind you that you need to be comfortable with some elementary algebra and number theory. The books are:
(1) Introduction to Cryptography - J. Buchmann ... good material, with examples to get you working, gives you required maths background to understand the topics.
(2) Cryptography, Theory and Practice - Douglas Stinson, 3rd Edn. ... a classic, really good textbook. Maths background is there but you need to be comfortable with some elementary algebra and number theory.
(3) Handbook of Applied Cryptography - Oorschot, Menezes, Vanstone ... a very good textbook, with current material, lots of references to help you, good presentation. Best thing is that the whole book is downloadable freely.
(4) An Introduction to Theory of Numbers - Niven, Zuckerman, Montgomery ... one of the best number theory books out there, very accessible and sufficient depth in topics too.
(5) Contemporary Abstract Algebra - J. Gallian ... a very accessible introduction to Algebra. It is a really good book to start learning algebra, gives you a lot of examples and also gives applications of algebra.
I could write a lot here but I plan to put more information in posts in the Cryptography category (to be added soon).

Other Important Books: This section lists some books that are essential to your knowledge but I could not put them in one of the above categories. One reason being that they are different from the above books as they are meant to guide you in securing your systems, not to prepare you for an in-depth understanding of the exploits and vulnerabilities.
(1) Practical Unix and Internet Security, 3rd Edn. - Garfinkel, Spafford, Schwartz ... a classic of its kind, you got to have this book on your shelf. Lots of information, with very clearly written material on system administration, intrusion detection, break-in forensics, and log analysis.
(2) Hacking Linux Exposed - Hatch, Lee ... a very good read, it contains current material and exposes lots of security problems, provides you an understanding of various tools for keeping your systems secure and monitoring their security.

Books to develop your thinking style about security: These are the sort of books that will give you an insight to the patterns of hacking exploits, how people have thought about these exploits.
(1) Exploiting Software - Hoglund, McGraw ... does a Design Patterns thing for security exploits, gives you an insight as to how to look for vulnerabilties in software. Highly recommended.
(2) Silence on The Wire - Michal Zalewski ... another thoroughly entertaining and insightful book on computer security. Highly recommended.

Yes, this looks quite lengthy and I am feeling sleepy now. I wanted to add some sites you should look for to learn and be in touch with current security threats but, I will do that some other day as next part of this topic. Till then, best of luck in case you decided to get into this wonderful field :-)