Surkatty.org

Possible GPT Side Effects

Osman Surkatty — Wed, 08 Feb 2023 00:00:00 +0000

Much like the rest of the internet, I was completely blown away when I used ChatGPT for the first time back in December '22. Since then much has been written about the topic by a variety of news outlets and by other hackers across the internet. Topics like safety, bias, accuracy, impact to current jobs, and wild predictions have all been discussed ad nauseam. However, as the future of chat bots and generative text services emerge from companies like Microsoft and Google, I believe there is a topic that hasn't quite made it yet into the zeitgeist yet. What will be AI's side effect(s) as it is incorporated into search engines?

Search Engines in 1990s-2010's

As the internet gained traction in the '90s, there was an increasing need to make its content more accessible and organized. Companies like Yahoo! organized the content into directories; Ask Jeeves tried use natural language for a more natural Q&A experience; and of course Google's simplicity, speed, and quality eventually won out. Google's mission has been to "organize the world's data". Google's product was better in every conceiveable way and internet users flocked to them en masse. Users no longer "searched" the web, they "googled" it.

Google then leveraged its dominant position to take advantage of its users. It was able to capitalize on user data in the form of online advertising, it maintained its dominant "default" position through exclusivity deals with browser and other software vendors, and in-turn the profits it reaped it reinvested heavily as a part of its virtuous flywheel. Its early investments allowed it to catapult into the stratrosphere of internet history by becoming an immensely profitable internet juggernaut, a position it still enjoys to this day. However, this isn't a post about a retrospective on Google, but rather search engines.

In the time between the popularization of search engines through the early 2010's, the relationship between users, the search engine, and website owners remained largely unchanged, which was:

Users visited their favorite search engine to perform a search,
Search engines would return relevant links,
Users would click a link from the search results,
Website owners would get a visit from the user

This relationship was about to shift as search engines became even more powerful and could organize the world's data better.

Search Engines in 2010s-2020s

In 2012 Google introduced the world to Knowledge Graph in a blog post which started with the words, "Search is a lot about discovery.." They touted how it would allow users to find the information they were looking for directly within Google's search queries without having to clickthrough to the original source. It operated on well structured sources like Wikipedia and CIA's World Factbook, but its impact more far reaching. It influenced a generation of search engine developers to no longer act merely a waypoint for user's internet search journey, but as its terminus.

No longer did users have to rely on search engines to find and organize relevant links, but they could rely on search engines to also present information directly to them. Website owners like Yelp, Amazon, Expedia, and others, as well as regulators like US DoJ, have long recognized these consequences of search engines no longer became content with being waypoints. The new paradigm shifted the relationship to:

Users visited their favorite search engine to perform a search,
Search engines would return relevant information and links,
Users would either be content with the information returned, or they may click through a link from the search results,
Website owners would enjoy some clickthrough.

To ensure that users discovered what they were looking for, search engine companies continued to iterate on step #2 to reduce the need to clickthrough off of their sites. However, nobody stopped to talk about what would happen to website owners if they became wholly redundant.

Search Engines in 2020s and beyond

Microsoft's Bing and Alphabet's Google currently enjoy a ~95% market share for search engine traffic in the US as of February 2023 according to StatCounter.com. Both of these companies have both announced in early 2023 their intentions to include a ChatGPT-like experience to their search engines. If they are successful at conquering the challenges that lay ahead of them - i.e., accuracy, bias, safety, etc. - then I would posit that this shift will impact every single website owner on the internet today.

Why would a developer clickthrough to StackOverflow if they can get answers to their coding problem within the search results?
Why would a home chef read a blogger's post to understand a base recipe for a new dish they are trying to make?
Why would an event planner visit an SEO spam list website which rehashes the same event ideas that can be found in simple, condensed, and well presented way in a well known and familiar search interface?
Why wouldn't a user just keep refining their search query in the search engine to get the answer they were looking for rather than contending with some random website they'll have to parse through?

For some time there will be categories of search where users will need to continue to click through until the AI results are good enough, but I cannot think of a single category that couldn't be ultimately organized and centralized into this new paradigm. I think we'll quickly see the paradigm of search engines shift to the following:

Users visited their favorite search engine to perform a search,
Search engines return relevant information
...done?

As far as I know, nothing can stop this inevitability. The current search engine giants are going to use AI to collectively organize the world's information. They will use this information to become the terminus of knowledge for users. They will no longer act as gatekeepers that point or bias their users to a set of web properties that match their algorithm.

I hope I am wrong, but I see this another step to the centralization of the internet, and the ossification of the current internet giants. Perhaps Bing will finally be able to pass Google as they were asleep at the wheel, and time will tell if that happens, but things are about to get so much worse for small-to-medium website owners.

Either way, you're probably not reading this on my website anyways. Our AI overlords have in all likelihood summarized this article into a more manageable format for your consumption. Long live our AI overlords.

Surfing On The Pseudoanonymous Web

Osman Surkatty — Sat, 26 Nov 2022 00:00:00 +0000

For as long as I can remember I've tried to minimize uncontrolled data and metadata emissions from my web activity. After many years of trying, I've come to realize that I won't be able to stop all emission, but regardless I continue to enjoy its pursuit as an intellectual exercise. I've used common privacy tools and techniques like browser ad-blockers, unique email addresses, opt-out settings, as well as other steps you're likely familiar with. Within the information security community these steps aren't necessarily considered to be tinfoil-hat-level paranoia behavior, but are rather basic steps required to increase your privacy on the web in 2022.

Reduction of emission alone won't be sufficient, because inevitably a limited amount of data will slip through your filters. Thus you also need to focus on degrading the quality of data you emit in order to reduce its overall signal quality. To understand how to do this effectively, we must understand how modern analytics companies identify your behavior and sell it to their custoemrs. To grossly oversimplify what they do, analytics companies attempt to find and group your behavior into clusters. In order to do this, they rely on high quality data markers. For example, if you visit a website about nursing techniques for new born babies, then you must be a parent of a newborn baby or are expecting to have a baby soon. In order to successfully group you into known clusters, analytics companies must therefor find high quality data points that they can use to positively correlate disparate data points together. One of the most common data points used today are stable user identifiers. These identifiers are used across various services or websites that you visit or use e.g., your email address and device ID can be used to tie identities together across multiple services into a single profile. Ergo, if you want to reduce the probability of successful correlation, you must reside within the noise floor of behavior correlation algorithms as best as you can.

One of the most stable data point you will always emit over the internet today is your IP address. Whether you are sending or receiving data, the TCP/IP stack must know what IP addresses are involved in a connection. This design decision would be less problematic if it wasn't for the fact that ISPs - at least those used historically by this author - offer only 'sticky' IP leases which cannot be easily relinquished or cycled through. Even if you could relinquish these leases, having multiple devices emit this identifier (i.e. mobile phone when you're connected to your home wifi) means it can be used as a possible identifier. The average internet user cannot obfuscate this identifier easily without relying or resorting to third party services. As a result, analytics companies are able to use this relatively stable data point to tie together your identity with other data points they may possess. For example, a user coming IP address 4.2.4.2 using Chrome browser on Windows with certain settings/addons is likely to be the same user who also had those same data points as before. This allows website operators to do some neat things like not require a SMS OTP to login again. However, if your goal is to reduce the probability of a service/website knowing who you are, this can become problematic. So what are you to do in 2022? Well, you can surf on the pseudoanonymous web.

The pseudoanonymous web allows users to obfuscate their identity by commingling their internet traffic together with other users or by obscuring the source/destination of their network traffic. There are a number of different methods to accomplish this today (e.g. VPN, I2P, and TOR), each with their own pros/cons, but the net effect on the user is some semblance of an anonymous existence on the modern web.

Leveraging the pseudoanonymous web does result in some other effects which users may not be immediately aware of. The largest of effect being that you will be lumped together with the lowest/worst common denominator definition for your network adjacent users. For example, if another user on the same IP address is scraping websites or sending out email spam, your traffic will be treated as if you were the perpetrator. This may mean that you may be able to read a website, but won't be able to contribute to it (e.g. Wikipedia). It may mean you will be trapped in an endless cycle of attempts to prove that you're a human (e.g. Google's reCAPTCHA). It may also mean that IP reputation vendors may flag your IP address/account with additional metadata like "open proxy", "low trust", or other flags which will prevent you from using DRM heavy services like video streaming services or complete online purchases. As a pseudoanonymous web user, your experience of the web becomes that of an edge case to website operators. You will be relegated to a code path which is either not well tested or defaults to "deny". As a blue teamer, I can understand and sympathize why website operators are not incentivized to optimize for this user experience path, but it can be a point of frustration for those who want to gain some degree of anonymity.

All is not lost though. The chief benefit of the pseudoanonymous web is that it does grant some degree of default anonymity. The ability of the average of the website administrator or network operator to be able to positively identify you, when combined with other data emission reduction/elimination techniques, is as near to zero as you can practically hope for. Without significant engineering effort on their part, or without nation state level capabilities, I am not aware of viable or scalable techniques that would allow cross device activity correlation without using additional correlative data points. For example, correlating behavior of my desktop network activity and my mobile device activity would be very difficult without another data point like account/device ID, email address, or something else. The network may be hostile, but that doesn't mean I can't take steps to reduce its hostility towards me or others. I'd encourage you use pseudoanonymous web and let me know how it goes.

On Abuse Mitigation

Osman Surkatty — Sat, 23 Jan 2016 00:00:00 +0000

Over the past several years I had the pleasure of mitigating abuse for a small community forum as well as large hosting provider. I hadn’t intended on dealing with service abuse in my technology career, but it had just happened to fall into place. Before I go further into this post I should take some time to explain what I mean by “abuse”. Abuse is any action that is explicitly prohibited by a site’s or service’s Acceptable Use Policy (AUP). In this post I won’t cover fraudulent activities, which some organizations consider to be one and the same as far as abusive activity goes, rather I will focus on how service providers can help identify and mitigate abuse on their own service.

Written by lawyers, AUPs are intentionally vague policies which encompass things like prohibition of illegal, undesirable, or unwanted activity on a given service. This can be things like DoS, spamming, web crawling, hosting of potentially unwanted programs, or running other troublesome services. Services like IRC servers, Tor exit nodes, and BitTorrent are generally called out by name due to the headache and liability that they are to service providers. AUPs are generally used as the guiding rulebook for what constitutes abuse on a given service provider.

Without a dedicated team to mitigate abuse on your service, it can be a taxing task to continually adapt to new abuse threats. These threats, which are constantly evolving, can be as complicated as running your own core business so it is important for you to understand what makes them tick. As you approach your own battles with abuse, I think it is wise to think about the following approaches to mitigating abuse: know thy customers, profile the abusers, and understand their business models.

As an average citizen of the Internet, you have a moderate amount of anonymity and you can (generally) move relatively unencumbered throughout the Internet. For example, anybody can sign-up for an email account, your customers can sign-up for your service from any geolocation, and use any user agent to accomplish this. This freedom is what allows any arbitrary citizen of the Internet the ability to sign-up for your service. However as a service provider, this is the bane of your existence when it comes to mitigating abuse. Therefor you need to enact certain controls which allow you to positively identify your customer through a variety of means. The simplest of which is a simple pair of identifying credentials which usually take the form of an email/password pair. Though you shouldn’t stop there as this is only the beginning when it comes to knowing your customer. The true challenge is to discover whether or not the customer who just signed-up for your service is indeed a real human. Providers can implement a variety of controls like email verification, risk based profiling, blacklisting of abusive IP addresses, and more. This helps increase the confidence level that a given user is indeed a real human being and not a bot that was designed to take advantage of your service. A Voight-Kampff test for bots is an art that requires constant refinement based on your service’s use case and its threats. For example, how likely is it for a customer to click on the email verification link from a different user agent than the one they used to sign up for the service? What are the amount of minutes from completing the sign-up process to the first API call? Being able to answer questions like these will help you better know what constitutes a real human customer, which will of course help you answer who is unlikely to be a real human.

The United States Secret Service (USSS), whose responsibilities include the prevention and investigation of counterfeit US currency, had a problem in their anti-counterfeit training. They needed to identify counterfeit bills which were circulating throughout the economy. They found that there are nearly endless ways that US currency could be counterfeited and new techniques continue to crop up each day. So after years of trial and error in their training process, the USSS instead focused their training on what a real US currency looked like or what its attributes are. Specifically what a real bill feels like, what countermeasures exists on real bills, its dimensions, its weight, and a variety of other telltale signs of a real bill. Once you know what the expected normal US bill would look like, it is relatively simple to detect counterfeit techniques.

Much like counterfeit bills once you know what a genuine customers look like, we can now focus on what an abusive customer looks like. Abusive customers are generally trying to take advantage of your service to accomplish a particular goal. This can be either for spamming purposes, DoS, or other common abuse patterns mentioned above. The type of abuse you will see will undoubtedly change as the return on investment from their abusive activities shift. It is important that you understand how they are making money from their actions as this will help you identify ways to reduce their revenue. Once you understand their revenue source, you can focus your efforts on lowering the overall utility that your service provides to their goals. For example, an email spammer may only get paid if they are able to send a high amount of email for their spam campaign. By not allowing new customers to send a high rate of emails or capping the total number of email recipients to a moderate amount, this will lower the usefulness a given account will have to a would be email spammer.

From a personal experience in running a small forum for a number of years, I found that one constant angle that spammers would like to take advantage of is Blackhat SEO spamming. Specifically these spammers tried to inject links to their client’s website onto your site in the hopes that search engines would rank their own websites higher because of page rank association. To help lower the utility of a link inserted into my site, I added rel=“nofollow” attribute on all links submitted by users and disallowed the insertion of links for new users. This greatly reduced this type of spam overnight. The spammers identified my site was of no use to them and moved on to their next victim website. There is simply no substitute for hitting the abusers in their pocketbooks.

Mitigation of abuse is a constantly evolving issue that service providers will need to cope with. Much like fraud, it is a battle that is never ever truly won as new abuse techniques emerge. In fact when you become complacent in mitigating abuse, you will likely find a new wave of abuse will come to take advantage of your service.

Certificate Authorities, the shady world of trust

Osman Surkatty — Sun, 21 Jul 2013 00:00:00 +0000

In 2011 Moxie Marlinspike gave his SSL And The Future Of Authenticity talk at DEFCON 19 and I was fortunate enough to be there in the audience. He spoke of the current state of trust in Certificate Authorities (CA) and the associated problems with it. His talk concluded by introducing Convergence, an alternative way to verify trust for SSL certificates without a CA. In listening to him talk I become enamored by the topic and wanted to learn a whole lot more after DEFCON. Shortly after this I began toying with the idea of becoming my own Certificate Authority and wanted to learn more about the vetting process associated with CAs.

In my naiveness I assumed the process would be easy and that I would be able to usurp various root trust stores with very little vetting. Thankfully I was proven wrong. In my journey I discovered that the only thing in my way from being added to various trust stores was a third party audit which costs a lot of money. Darn!

With the new found knowledge that it was in fact kind of hard to become a CA, I decided to change my focus to learn more about the vetting process and share the knowledge of what I've learned there. This culminated into a talk that I gave at Black Lodge Research. I'd recommend that you my dear reader review the slides and feel free to reach out to me if you have any questions. I purposefully left out much context from the slides, but I'd be willing to share context for each slide if there is interest in it.

Slides: Certificate Authorities, the shady world of trust (PDF)

If you see any errors in my slides, please let me know and I'll be sure to make edits where appropriate.

Responsible Disclosure List

Osman Surkatty — Mon, 17 Jun 2013 00:00:00 +0000

Recently I became enamored by the concept of Responsible Disclosure. After reading up on the topic, I began digging at what various companies are doing on this particular topic. Unfortunately I found that this information was extremely hard to come by. Information on points of contact, disclosure policies, and various other bits are well fragmented.

I also searched for some sort of database or website on the topic and I was only met by other websites or blogs that noted how hard it was to find information on the topic. The only standard I found on the topic was a draft IETF document from May 2002 which was never ratified. IETF did ratify RFC 2142 which noted that companies should maintain a security@example.com mailbox for the purpose of "Security bulletins or queries." Unfortunately most companies either do not know about this RFC or simply choose to not follow it.

To help solve this issue, I've put together a comprehensive list of various "Responsible Disclosure" webpages for various vendors, companies, and organizations that post their information publicly. I plan on hosting and maintaining the document perpetuity.

Responsible Disclosure List

If you discover any errors or would like to include your organization's information, all I ask is that you contact me with the relevant pieces of information to update.

Recommendations for companies

From forming the list above I've come up with a non-exhaustive list of recommendations to companies that are thinking about posting policies publicly.

Do it. You have everything to gain and nothing to lose from being open and transparent
Have a point of contact and be responsive. As noted earlier, security@ is RFC2142 compliant in lieu of this list, researchers would likely try that email address.
Reward researchers. Whether that is through a Bug Bounty program, a funny hat, or a simple thank you, researchers will be more likely to responsibly disclose if they are incentivized
Generate and publish a PGP key. It is amazing how many organizations do not do this for such a sensitive topic as vulnerabilities.

Recommendation for researchers

If you're thinking about reporting a vulnerability to a company on the list, I'd recommend that you:

Know your rights. EFF published the Coders’ Rights Project Vulnerability Reporting FAQ which covers many commons questions that you may have when reporting a vulnerability
Understand the company's policy. Some companies have very strict and well thought out policies on this topic. If you're seeking monetary or other rewards from a Bug Bounty program, make sure you read it front to back before moving forward. When in doubt, ask the company to clarify their policies
Be responsible. Understand that real people with busy schedules are on the other side of email address you reached out to. For a rule of thumb you should: expect a non-robot replies within 48 hours and up to 60 days of time required to resolve the issue (although Google claims most issues can be solved within 7 days).

I hope I was able to cover this topic in some level of detail that was useful to you my dear reader. If you have a question or would like me to clarify something, feel free to reach out to me.

On Running Tor Relays

Osman Surkatty — Fri, 12 Apr 2013 00:00:00 +0000

When I first learned about the Tor Project in late 2000's, I immediately wanted to contribute. There are many ways for individuals to contribute to the project such as through donating, volunteering, or by telling your friends and family about the project. One of the ways I chose to contribute is by running a Tor exit node. Before I go into my experience and recommendations in successfully running an exit node, I'd like to cover some basic terminology. In general there are three types of relays or nodes:

Tor Relay: These hosts are the backbone of the Tor network. They act as an entry point into the network and they pass traffic between relays as well.
Bridge relays: These relays act just like regular relays, but are not published in the public Tor directory
Exit nodes: In addition to acting like a Tor relay, they also act as a last hop (or exit) for the Tor network

For those who are unfamiliar or would like to contribute by running a relay, I would recommend beginning with either a regular Tor Relay or a Bridge. Both of those choices are safe because they will not allow any of Tor's traffic to exit through your node. The relay will simply increase the overall bandwidth and host diversity of the overall Tor network.

Once you've had some experience running a Tor relay or Bridge for awhile, I would encourage you to consider running a full-fledged Exit node. From my personal experience, the switch was relatively painless and seamless. As long as you follow project's recommended practices, you should be able to run one with minimal issues.

In order to reduce and/or eliminate the number of complaints you may receive, you should consider running a reduced exit policy. Exit policies are a way for Tor to limit what ports/protocols can exit through your node. You can find a recommended reduced exit policy on the project's website. This exit policy covers some of the most common ports/protocols that have a low likelihood of being abused by a malicious actor.

I would discourage you from running a wide open Exit node, as you will likely run into issue rather quickly. When I first started runnin an Exit node, I decided to runa wide open policy. This resulted in me receiving 17 DMCA complaints after a week of running the node. Once I switched to a reduced exit policy, I never received another complaint from my ISP.

Many ISPs and companies do not explicitly deny Tor, but it is always a good idea to check their Acceptable Use Policy or Terms of Service to ensure you are not violating any rules. In reviewing these policies, you should search for sections specifically prohibiting the running of a "proxy" or other network services.

If you cannot find anything specifically prohibiting Tor, you should take a look at the community maintained list Good/Bad ISPs. If your ISP or hosting provider is not on the list, then you should contact them directly for clarification on running an exit node.

From my personal experience of running an exit node on and off for the past ~3 years, the biggest challenge is just to ensure you keep your tor server up-to-date. Running a responsible exit node will likely not land you in hot waters, though you should still educate yourself on the possible legal consequences. Here are a few supplemental articles that I'd recommend you review:

The aforementioned articles should assist you in understanding many possible scenarios that you may need to deal with as a relay operator.

One interesting thing I've found from running an exit node, is where you choose to run it matters. The Tor project does not recommend volunteers to run relays from your own home/residence because of the issues it can cause. Now if you choose to do so, you will find out that the web becomes a little more restricted. Many network and service operators actively monitor for known Tor exit nodes and may either temporarily or permanently ban your IP address. Some of the more notable companies that do this are: Yelp.com, Craigslist.org, 4chan.org, Google Search & Maps, and CloudFlare. If maintaining access to these websites or companies are important to you, then I would recommend that you not run your exit node and/or relay from home's Internet connection.

In closing, the Tor project depends entirely on volunteers to provide network capacity to the Tor network in order to serve the ever increasing demand it has. If you can spare the cycles, I'd recommend that you consider running a relay. If you have any other questions about becoming a relay operator, feel free to contact me or the Tor Project directly.

Snowflake Passwords

Osman Surkatty — Mon, 14 Jan 2013 00:00:00 +0000

A while back I wrote about using a three tier password management in which I described a plausible system that anybody could utilize without using third party software to manage passwords for you. Since then I've had a change of heart. I was able to find the ideal password manager for my purposes. This ideal solution didn't come right away, it took time and some trial and error. Mainly due to the managers not really fulfilling my basic set of needs. Here are just a handful of them:

Cross platform and device support
Sync capabilities
Sufficient review by peers
Great security

I never though I'd find this mythical solution that would take care of all my needs. I've heard many praises about LastPass, but it unfortunately fell short in other non-critical categories. Specifically advertisements and requirement of their Premium subscription service in order to sync between devices. Furthermore, their syncing requires the user to utilize their centrally managed web service. This of course can and have lead to unexpected consequences. So a centrally managed solution will not work.

Other possible candidates have included the well known KeePass and the well reviewed Password Safe. Unfortunately both of these candidates have poor cross device support as they rely on the open source community to provide it. Sure some support exists, but they generally rely on a third-party individual to maintain it and they are likely several versions behind when it comes to feature set.

So what option is left? 1Password. With support for every major platform and device (link), strong security design (link), and it is actively being developed on (link). Is it perfect? Not at all. They do not have the same keylogger protection that KeePass has, they've previously been chastised for their mobile application, and their Agile Keychain design leaks information about what is contained in its database.

After a year of utilizing the software, I'm glad to say that I know literally only one password, my database password. All of my other passwords are randomly generated. Each a unique and strong snowflake for each service that requires it. All of the passwords are safely backed up on multiple systems and I have revisions via Dropbox just incase any item gets corrupted. It has a been a great setup and I hope you will give it a try as well and let me know how it goes for you.

Getting Hired

Osman Surkatty — Tue, 02 Oct 2012 00:00:00 +0000

As I was going through the process of deciding what I wanted to do for the rest of my life, I had only a general idea of what I needed to do in order to get there. Get a degree in my field and I would eventually land an awesome job. The reality is there is much more involved in getting there than just that. I gave this presentation to a group of students at the University of Washington's iSchool to hopefully inspire them to prepare with the things they actually need to do before graduation. Because it is better to prepare sooner rather than later.

Slides: Getting Hired (PDF)

For questions or feedback, please feel free to contact me.

Defending the Castle

Osman Surkatty — Sun, 17 Jun 2012 00:00:00 +0000

On 2012-06-17 I presented on the topic of home defense at the June DC206 meeting at Black Lodge Research. Based on the research I've done, I provided recommendations on different passive defenses that folks can utilize in order to minimize the chances of becoming a victim. Recommendations were provided in order of cost effectiveness all the way to defenses that were nice-to-haves. You can find the slide deck here. If you have feedback or questions, please feel free to contact me.

Remaining Anonymous

Osman Surkatty — Wed, 01 Feb 2012 00:00:00 +0000

On 2012-02-01 I presented how a person can "Remain Anonymous" on the Internet. It covered topics such as current threats, real world examples, and defensive tools to protect your anonymity. Slides can be found here. I'd like to thank DC206 and Black Lodge Research for allowing me to use their facilities to give this talk.

Speeding Up Websites

Osman Surkatty — Sun, 20 Feb 2011 00:00:00 +0000

Recently I've found myself trying to find ways to speed up a website I run beyond server level optimizations. What I've found is that there are a multitude of ways for anybody (or any webmaster in particular) to improve the speed at which is content is delivered on the web. To boil it down, there are essentially three bottlenecks in anything that resides on the web:

Network (content delivery)
Client side
Server side

So to help you make sense of it all, here are some helpful resources, tips, and tricks that I’ve discovered along the way. Since I’ll be covering this topic in some depth, I will break the topics up into multiple posts to make it easier to digest.

Delivery of content

The first topics I’d like to cover, is the speed at which your content is delivered (network bottleneck). This optimization technique probably requires the least amount of effort on the part of the webmaster, yet it yields the least amount of benefit unless the content is intended for a global audience. To summarize this section, here are the following topics I’ll be covering:

Content Distribution Networks
Content Optimization

Content Distribution Networks (CDNs) are a system of computers that cache content for you around the globe. In short, there is no way you can improve the speed that it takes a network cable to bring your content faster to your customers other than placing your content closer to your customers. A round trip connection between the north pole and south pole is relatively stay the same if unlimited amount of bandwidth was available between the two points. In network terms, this is also referred to as Latency.

If you are a big organization, you can possibly afford to setup multiple data centers around the globe to ensure that your content is close to your customers. This approach however is much less feasible to smaller businesses like the SMB market, this is also one of the best reasons to use a CDN, to level the playing field for small-to-medium businesses while also providing your content globally fast!

Content optimization will also help improve the speed of your site. When I say content optimization, I am referring to data on the wire that is transfered between the content provider and the customer. Content optimization includes the following tactics (ordered from easiest to hardest to implement):

Compression to reduce the amount of data needed to be transfered. This can be done through minifying CSS, JavaScript, and HTML
Lossless compression images
Reducing network requests. This includes reducing DNS lookups, HTTP requests, and image requests
Combining images and utilizing CSS sprites

All of these tactics are quite easy to do, but simply take way too much time to do if not automated or thought of beforehand. The benefit of each tactic also isn’t realized without performing the rest of the operations. A difference of 10Kb or 5 HTTP requests may not be significant to one user, but when multiplied exponentially it can make a notable difference for all parties involved.

Here are some tools to help you get started with all the suggestions noted above:

How To Recover From A Hacking

Osman Surkatty — Wed, 12 Jan 2011 00:00:00 +0000

Shortly after writing my first post, a close friend of mine had his email account compromised. His main email account began sending spam to everybody in his contact list, this included his close friends, professors, and professional contacts. He asked me, “What do I do now?”. Clearly he needed it to stop ASAP and a moderate amount of damage control needed to be done to identify what had happened and how the hacker was able to recover his credentials.

Did somebody shoulder surf him? Was his computer infected with a virus or a keylogger? Is the perpetrator a malicious individual who happened to see his account logged in at a public terminal? We don't know. Thus thus the paranoid geek in me would like to rule out any and all possibilities to minimize the chance of reoccurrence. Time was of the essence and there was no time to spare.

My friend - we'll call him Bob - wanted to know what he could do right now to minimize the damage done. Clearly he didn't want to have old colleagues contact him saying, "Hey Bob, I don't need those pills. Thanks for thinking of me," from a perspective employer he just applied to. Nor does he need a message from his mother asking him what '\/14GR4' is. I outlined a plan for him to recover ASAP to minimize damages. I propose the following steps:

Change the locks
Stop & think
Clean your computer
Damage Control
Monitor

Change the locks - The first thing I told Bob to do was to change his password. If his credentials were stolen by a malicious friend, co-worker, or keylogging software, they will no longer be valid once he changed his credentials. Most malware tend to send captured credentials to their Command and Control servers on a schedule. This will buy Bob some time before his credentials are potentially leaked out again to the Spammers. Thankfully Bob's email account was through Gmail, which means he was able to log-out the attackers as well remotely through his current session. For more information on how to do this, see this following blog post from Google's Gmail team.

Stop & think - Think about your computer activities for the past week. What locations have you used to log into your account within the past 7 days? Has anything unusual happen with your account as of late (i.e. logged in from friend's house, lent your personal computer to a friend, installed a new piece of software on your computer)? Any and all of these activities could have been your undoing. If you have used a public terminal, chances are your home computer is fine. If you've just downloaded the latest Just Bieber Concert video from a non-reputable site or service and proceeded to jam out to it, you might have been attacked through that vector as well.

Clean your computer - After thinking through the possible scenarios that may have caused you to be infected in the first place, you can begin cleaning your personal computer. Why? Because chances are that you were infected through your personal computer, and I did mention that we'd err on the side of caution (see: paranoia). This will take some time and will not be easy. HardForum has an excellent how-to guide on how to remove Virus/Trojan/Malware from your computer. Once you've followed the guide, move on to the next step.

Damage Control - Now you will need to clean up the damage that was left behind by the attackers. The type of account compromised really dictates how you should move forward. For example, if your email account was compromised, you will need to notify all people that have been spammed (see your Sent folder) that the previous message was not sent by you. You will need to explain to people the steps that you've taken in order to prevent it from happening again.

Monitor - You will now need to closely monitor your account activity for the next few months. If your account once again becomes compromised, if can mean a multitude of things. Most likely is that you were unable to clear out all the infections on your computer. Clearly drastic measures are needed if you hope to get rid of the infection once and for all. The only known 99.999% effective measure is to completely wipe and reload your computer. Alternatively you may have been re-infected due to an activity that you are doing on your computer. This activities may include visiting questionable sites, participating in illegal file sharing, and not having proper counter-measures up to protect yourself (i.e. anti-virus, firewall, updated computer)

Improving The Update Experience

Osman Surkatty — Thu, 16 Dec 2010 00:00:00 +0000

Updating out-of-date software and applications seem like such a simple task for technology savvy users that it is quickly overlooked. Developers assume “Oh but of course, users simply need to click on my little notification box…accept terms…choose a installation location…” Do you see where I am going with this? I think it is time to re-think how we (IT professionals) think and approach about the simplest of tasks for our user base.

Let me run you through the scenario of what a typical Windows user has to run through for updating their computer third-party applications. For this example, I will lay out how some companies perform updating elegantly (Google’s Chrome) and how others fail to achieve an acceptable experience (Oracle’s Java); and finally I will lay out an overall plan how all of these seemingly disparate platforms can unify their experience and improve the overall experience for each of their user bases.

Adobe has a page on their site that discusses the varying levels of Adobe Flash version penetration among its user base (located here). Sample data from September 2010 shows that at least a quarter of its user base does not have the most up-to-date version of the player (in this case, it is version 10.1). This is an unfortunate statistic, because in addition to the new features and performance improvements that are released with each new version, it also bring with it numerous bug and security fixes.

Oracle’s Java, which is approximately supported by well over 700 million PCs (source), has the following process for users to update their pieces of software:

The Java Scheduler (a background process named jusched.exe) determines that the current version is out of date.
A small pop-up appears on the lower right hand corner of your screen that says “Java Update Available”
The user clicks on this pop-up, assuming they’ve seen it when it first popped up.
The user is prompted with a window that states the latest version is “Java X Update XX “, the user clicks Install.
Java Scheduler begins to download in the background, when that is completed a new pop-up appears at the bottom right of the screen notifying the user to click on it once more.
The user clicks on the pop-up and clicks Next and agrees to the License Agreement.
The user is prompted with an additional screen to install some toolbar or additional software that Oracle has an agreement with
Java goes through the process of updating
Java is now updated

This process depends on many variables that puts the onus on the 700 million users to ensure that they know what the Java is, see the icon in the taskbar or the dock, and verify multiple times that they indeed want to update it. No wonder products aren’t often updated. Although this is one example of how users are faced to update their applications, it is very similar to many others out there today.

The second update method we will take a look at is the method that Apple’s App Store uses on the iPhone. This process is slightly less intrusive than Java’s, but can still use some improvements. Here is the process that users must go through:

The App Store periodically checks to see if any updates exist for installed applications. If an update is identified, the App Store application subtly notifies its user by putting a number on the application badge.
The user notices an update exists for one of their applications and click on the App Store badge.
The user clicks Update All and enters their iTunes password and clicks Ok
The App Store then minimizes and begins downloading and installing all updated applications
The application in question is updated.

The only interaction required by the user is to notice that an application requires updating and to act on it by confirming that the user wants to update all applications in question. Again this puts the duty of application updating to the users.

Now let’s take a look at a third and final method of delivering software updates to users. Google’s web browser, Google Chrome, has a very stealthy way of updating its software. Here Chrome’s process:

Chrome determines that the current version is out of date
Chrome downloads an updated version of the browser in the background. No notification is given to the user.
The user is done with their browsing session and closes all windows.
Chrome remains open in the background to begin installing the updated version. Again, no notification or disruption to the user.
Google Chrome is now updated.

Although on the surface this may only appear that the update process only chops off four steps, it is like comparing apples and oranges. Java’s method of update method requires multiple confirmations from the user and disruptions. Google’s process is completely transparent to the user as no confirmations, pop-up boxes, dialogs, and any other type of disruption occurs for the user. The only thing the user has to worry about is what blog to read next.

So which system is best? I propose that designers should combine the last two methods (Apple’s App Store & Google’s Chrome). By combining background updates (Chrome) and a centralized update repository (App Store) users would be able to update all of their applications efficiently. This can only be achieved if we could provide an unified approach for updating any type of application.

As it stands today it is up to each individual application/software to manage its update process. I call on OS developers to provide a method for users to utilize their current update method (Microsoft’s Windows Update & Apple’s Software Update) to third party developers. With that said, if the OS update methods were to implement background installs and allow for third-party software developers to utilize their update process, it would greatly increase the overall user experience for computer users.

Three Tier Password Management

Osman Surkatty — Wed, 03 Nov 2010 00:00:00 +0000

Updated on 2013-01-14: I've since had a change of heart. See Snowflake Passwords post. I'm keeping this post here for posterity and future embarassment material.

Many noted security practitioners advise users that they need to ensure that their financial passwords are kept separate from other web services they use. Some even advocate for a unique password for each service they use. Both methods I believe are ultimately flawed as they swing the pendulum of password management from the side of overly simplistic to extremely complicated.

I propose a simple three tier system for easy password management. This system ensures a simple separation of passwords to prevent cross access of your digital life.

The first tier (or the lowest) is known as the simple password. This password is used for random websites & services that you may come across during your journey through the internet. This password would be simple in nature and would fulfill the most basic password requirements. Requirements for this password is that it contains 6-8 characters and a minimum of either one upper case character, number, or special character. Examples include:

Password
letme1n
wh0doneit

The second tier is reserved for passwords of medium complexity. It is reserved for reputable services that could be tied back to your real identity. These services contain no personal information other than your name, birth month/year, and zip code. If the service or website requests more information then that, it likely falls under the third tier of this system. Requirements for this password is 8-12 characters, a minimum of two combinations of a digit, upper case, or a special character. This password also may not contain any dictionary words (even altered). Password examples include:

Sup3rS3cr3T
Ple4s3_l3t_me_in
p4$$w()rD

The third and last tier is for passwords that you absolutely do not want to have disclosed. This tier would include passwords that are linked to your personal identity, financial information, & personal information. To effectively eliminate any compromise, ensure that you only access these services from trusted terminals. Examples of services or sites that would use this tier would be: shopping websites, email accounts, and your bank accounts. Due to the sensitivity of these accounts, I would recommend using separate passwords for each account. If that isn’t possible, ensure that at least your email password is unique. The reason behind this is because generally of your other accounts can be reset via your email. As such, you want to ensure that you protect your email account as much as possible. Requirements for this password is >15 upper or lower case characters, minimum of two numbers, and two special characters. Password examples include:

Sup3rS3cr3T_p4$$w0rd
dont_hack_ME_br0_12
1984won'thappentome_IHOPE

Please keep in mind that this system may need to be altered to fit specific password requirements for each service. Good luck and be safe!