The Curse Of Silence

A serious vulnerability for Nokia phones has been unveiled. This vulnerability blocks all incoming messages, whether it be in the form of SMS or MMS. It is considered to be a "Remote SMS/MMS Denial of Service" and is called the "Curse Of Silence".

If the name isn’t enough to convince you just how bad this exploit really is, consider this: One day, you might wake up not being able to receive any messages on your phone. Probably you will think the problem is a hardware or software defect, but in the end it's just because of this exploit.

This vulnerability can be explored by sending a simple, carefully tweaked SMS to any S60-based Nokia phone. Furthermore, the user interface does not give any indication of this situation.

How it really works

Emails can be sent via SMS by setting the messages Protocol Identifier to "Internet Electronic Mail" and formatting the message like this:

<email-address><space><message body>

If such messages contain an <email-address> with more than 32 characters, S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive other SMS or MMS messages anymore. 2.6 and 3.0 devices lock up after only one message, 2.8 and 3.1 devices after 11 messages.

The simplest way to perform this attack is to write a SMS containing "123456789@123456789.1234567890123 " (the digits are used only to illustrate the length of the "email address" of more than 32 characters) to the target device. Note the space at the end of the message!

Don't forget, you need to send a SMS with the type set to E-Mail (0x50). For example, on S60 devices, when in the message editor, the type of the message can be switched to "E-mail" under "Options" -> "Sending options" -> "Message sent as". The 6310i conveniently offers a "Write email" menu entry in the messaging menu.

Workarounds

The only action to remedy this situation from user side seems to be the installation of small application created by Nokia or a Factory Reset of the device (by entering "*#7370#").

Furthermore, some network operators may also filter messages with TP-PID "Internet Electronic Mail" and an email address of more than 32 characters or reset the TP-PID of these messages to 0.

Detailed List of Affected Products

S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630

Using Java Generics

Many programmers are unsatisfied with the restrictions caused by the way generics are implemented in Java. Generics are implemented using erasure, in which generic type parameters are simply removed at compile time (Thus not available to the JVM at runtime). However, that doesn't render generics useless.

Since Java has two compilation steps, during the first phase (compile-time) the compiler will insert necessary casts in the code (so you don't have to) based on the generic type parameters, and then perform the typechecking. During the second phase the JVM doesn’t make use of type information for type parameters (though it seems like the information is stored in the ".class" file metadata area).

Since the JVM isn’t aware of the type parameters associated with a type, it isn’t able to infer that certain operations are safe.

Map<Integer,String> m = new HashMap<Integer,String>();
m.put(1, "SomeString");
String s = m.get(1);

The new Java language allows the above code, but it gets compiled to:

Map m = new HashMap();
m.put(1, "SomeString");
String s = (String) m.get(1);

The lack of runtime type information causes things to not work as expected.

Generic Arrays

You cannot instantiate arrays of concrete parameterized types.

List<Point3D>[] l = new List<Point3D>[10];

The compiler will reject that because it could lead to a type error.

The problem stems from the fact that every time you store a value into an array, there’s a runtime check involved. While that check might be optimized away in certain situations, the language spec doesn’t identify those situations; as far as the semantics are concerned, arrays are not really type safe.

The main source of all the array-related issues is that Java arrays are covariant even though this is not typesafe. That’s why storing to an array requires runtime checks. If array variance was handled properly, there’d be no problem.

Casts

Runtime type casting relies on runtime type information. When you don’t have that information, casts don’t work correctly.

public void fun(Object o) {
  List<Integer> l = (List<Integer>) o;
}

The compiler will issue a warning on line 2 saying that the cast is unchecked. It’s not fully unchecked, because the JVM will check to see if it’s actually a "List", but it can’t check whether it’s a list of Integers or Point3D because that information has been erased.

Since it’s only a warning, you can execute that code and this particular fragment will run just fine. The problem only surfaces when you try and access one of the list elements with, for example, get(). The Java compiler automatically casts the return value of get() to Integer so if the list you got actually contained Point3D objects, you’ll end up with a ClassCastException.

The root problem here is that casts aren’t really type safe. Many functional programming languages use type-safe tagged unions to achieve the similar functionality.

Can’t Call Constructor

public class Pair<T> {
    T x1, x2;
    public Pair() {}
    public void init() {
        x1 = new T();  // Error
        x2 = new T();  // Error
    }
}

This limitation isn’t solely due to type erasure. This is disallowed because there’s no guarantee that the class "T" has a constructor that takes zero parameters. However, you can get around this by using a factory:

public interface Factory<T> {
    T create();
}

public  class Container<T> {
    Factory<T> factory;
    T x1, x2;

    public Pair(Factory<T> factory) { 
        this.factory = factory 
    }

    public void init() {
        x1 = factory.create ();
        x2 = factory.create ();
    }
}

Hacking Generics

Let’s assume we want to create an array to handle generic operations with generic types (e.g. Array multiplication of numeric and non-numeric types: Integer, Point3D, String, ..)

As you know you can’t create an array of generics with T[] t = new T[1] and we can't use Class clazz = T.getClass(). However inside a static context we can access some information about the generic type using the following code:

Class clazz = (Class) ((java.lang.reflect.ParameterizedType)
    getClass().getGenericSuperclass()
        ).getActualTypeArguments()[0];

Now that we know the type, it is possible to allocate the generic array and optionally instantiate it.

array = (T[]) Array.newInstance(clazz, size); 

/** Call default constructor */
array[0] = (T) clazz.newInstance();

/** Call constructor T(String, Integer) */
array[0] = (T) clazz.getConstructor(String.class, 
                Integer.class).newInstance("SomeString", 1);

In order to be successful with the static modifier, we need to code the generic array class as an inner class (see next code snippet). The inner class GenericArrayImpl will provide the basic implementation of a generic array that also initializes the generic objects. Specific array operations are implemented by specialized generic array implementations (see NonNumericArray and NumericArray).

public interface IGenericArray<T> {
    public T get(int i);
    public void multiply(T obj);
}

public class GenericArray {

   /** Contains the implementation of common methods */
   private static abstract class GenericArrayImpl <T> 
                           implements IGenericArray<T> {
      …
   }

   /** Our non-numeric class */
   private static class NonNumericArray extends 
                  GenericArrayImpl<NonNumericClass> { 

      public NonNumericArray(int initialSize) {
         super(initialSize);
      }
 
      @Override
      public void multiply(NonNumericClass obj) {
         for (int j = 0; j < size; j++)
            array[j].multiply(obj);
      } 
   }

   private static class NumericArray extends 
                        GenericArrayImpl <Integer> {
 
      public NumericArray(int initialSize) {
         super(initialSize);
      }
 
      @Override
      public void multiply(Integer obj) {
         for (int j = 0; j < size; j++)
            array[j] *= obj;
      } 
   }
}

A possible implementation for GenericArrayImpl may be:

private static abstract class GenericArrayImpl<T> 
                             implements IGenericArray<T> {

   protected T[] array;
   protected int size;
 
   public GenericArrayImpl(int initialSize) {
      this.size = initialSize;
      initialize();
   }

   @SuppressWarnings({ "unchecked" })
   private void initialize(){  
      Class clazz = 
      (Class) ((java.lang.reflect.ParameterizedType) 
            getClass().getGenericSuperclass()
            ).getActualTypeArguments()[0];

      /** Allocate the array */
      array = (T[]) Array.newInstance(clazz, size); 
  
      /** Initialize objects in the array */
      for (int j = 0; j < size; j++){
         try {
            /** Call default constructor */
            if(array[j] == null)
               array[j] = (T) clazz.newInstance();
   
            /** 
             * Perform some other operations: 
             * array[j].doSomething();
             */
         }
         catch (InstantiationException e) {
            e.printStackTrace();
         }
         catch (IllegalAccessException e) {
            e.printStackTrace();
         }
         catch (IllegalArgumentException e) {
            e.printStackTrace();
         }
         catch (SecurityException e) {
            e.printStackTrace();
         }
      }
   }
 
   /** Common implementation (to avoid duplicated code) */
   public T get(int p){
      return array[p];
   }
}

Now we implement the non-numeric class, where the multiplication is defined.

class NonNumericClass {

   private String data;
 
   public NonNumericClass (){
      data = "default";
   }
 
   public void multiply(NonNumericClass c){
      this.data += c.data;
   }
 
   @Override
   public String toString(){
      return data;
   }
}

And voilá:

/** Working with arrays of NonNumericClass */
IGenericArray<NonNumericClass> a = new GenericArray.NonNumericArray(1);
a.multiply(new NonNumericClass());

/** Working with arrays of Integer */
IGenericArray<Integer> b = new GenericArray.NumericArray(1);
b.multiply(new Integer(1));

References

[1] Type erasure is not evil. cakoose.com. http://cakoose.com/wiki/type_erasure_is_not_evil. Retrieved on 2010-09-02.

Improve your online safety through Internet filters

Did you knew that instant messaging is one of the most known methods used by hackers, worm virus, identify thieves, online predators and cyber stalkers to attack your safety and your computer. Most attacks are accomplished through programs used everyday such as MSN Messenger, Yahoo Messenger, ICQ, AIM, Skype, eMule, iTunes, individual web sites, peer-to-peer file sharing and more.

If you are worried about your safety, the safety of your children or the security of your computer, then you should start taking extra measures to improve it. IM Lock is a service designed to protect Internet users against such threats. You can see it as an internet filter that improves your desktop security by controlling the access to unwanted information. Therefore, you can simply filter internet content by blocking any popular service listed above all of the time, or according to a schedule of your choosing.

This service is only a complement to the existing Internet firewalls and anti-virus measures. Firewalls and anti-virus programs alone can't stop a persistent user who wants to chat, trade files, or visit disallowed web sites.

SIGGRAPH 2009

Here's a video preview of SIGGRAPH 2009 technical papers. For more detailed information check the SIGGRAPH website.

Anti-SPAM Techniques: Sender Policy Framework (SPF)

Did you ever received span from your own address ?

SPF is a Policy Framework to help domain owners to identify and pinpoint all the servers which are expected to send mail from their domain, in a DNS record. Therefore, its possible for SMTP receivers (e.g. MTAs like Exim, Postfix, Qmail etc.) to verify the envelope sender address against this information, and distinguish authentic messages from forgeries - reducing the chance of email 'spoofing', phishing schemes and spam!

Create a SPF record

In the past many people have avoided SPF because of the trouble of setting up the SPF records - especially when using multiple ISP's or having mobile users. Nowadays this task can be simplified through this online tool: The SPF Setup Wizard

Deploy the SPF record

To use the newly created SPF record on a domain, make sure you have access to create a TXT-DNS record for the given domain. If you have access to create a TXT-DNS record all you need is to create such a TXT-DNS record containing the SPF record information, and you are done.

SPF helps avoiding forgery but doesn't resolve the spam problem

The main problem is that there aren't many SPF records out there, so most of your lookups will come up with no information. Besides that, there is a lot of invalid/misconfigured SPF records out there.

But even if everybody were to publish SPF records, and the forgery issue is resolved, it doesn't help prevent spam coming from non-forged envelopes. In fact many spammers started publishing SPF records for their spamming machines, so if you ever thought to use SPF to filter SPAM, you will have to rethink your strategy since it doesn't work.

References

[1] Sender Policy Framework (SPF) Record and Godaddy. jamiejamison.com. http://www.jamiejamison.com/2005/08/sender_policy_f.html. Retrieved on 2009-11-06.

[2] Creating SPF Records. godaddy.com. http://help.godaddy.com/article/3047. Retrieved on 2009-11-06.

How to create executable JAR archives with dependent libraries

As you may know, you can combine several Java classes into a runnable JAR file. Through this approach you can pack large projects and execute them more easily.
The following steps will illustrate how to create and run a JAR file.

1. Create a JAR

First, you need to create a Manifest file, which should contain at least the following lines:

• Class-Path: <lib1.jar> <lib2.jar> <path/lib3.jar>
• Main-Class: <classname>
• Place a new line at the end of this file

Then use jar.exe to create a runnable JAR using the following command:

jar cvfm <your_jar_file.jar> <manifest_file> 
                              <class_files> <libraries>

If you prefer, you can use a Ant script to generate the manifest and create the JAR file. Within this script you need to change the value for jar.name and main.class. Optionally you may need to adjust the values for build.home and deploy.home.

<?xml version="1.0" encoding="UTF-8"?>
<project name="MyProject" default="jar">

  <!-- Name of the output .jar file -->
  <property name="jar.name" value="jar_name.jar" />

  <!-- Base directory for distribution target -->
  <property name="deploy.home" value="." />

  <!-- Base directory for compilation targets -->
  <property name="build.home" value="." />

  <!-- Main class -->
  <property name="main.class" value="my.path.to.the.main.Application" />
 
  <!-- The base directory for all libraries (jar) files -->
  <property name="lib.home" value="lib" />

  <target name="jar" description="Create jar and MANIFEST.MF">

    <pathconvert property="libs.project" pathsep=" ">
      <mapper>
        <chainedmapper>
          <!-- remove absolute path -->
          <flattenmapper />

          <!-- add lib/ prefix -->
          <globmapper from="*" to="lib/*" />
        </chainedmapper>
      </mapper>
      <path>
        <!-- lib.home contains all jar files, 
                                        in several subdirectories -->
        <fileset dir="${lib.home}">
          <include name="**/*.jar" />
        </fileset>
      </path>

    </pathconvert>

    <!-- create the jar -->
    <jar jarfile="${deploy.home}/${jar.name}" basedir="${build.home}/classes">

      <manifest>
        <attribute name="Built-By" value="${user.name}" />
        <attribute name="Main-Class" value="${main.class}" />

        <!-- Finally, use the generated libs path -->
        <attribute name="Class-Path" value="${libs.project}" />
      </manifest>

    </jar>
  </target>

</project>

As a result you may get something similar to:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.7.0
Created-By: 11.3-b02 (Sun Microsystems Inc.)
Built-By: bruno.simoes
Main-Class: my.path.to.the.main.Application
Class-Path: lib/somelib.jar lib/anotherlib.jar

2. Execute a JAR

Double click the .jar file and see what happens. Maybe it is already working, and you have to do nothing. If it opens in your archiver software, then you need to find out what OS are you running and then respectively associate the file with the Java Runtime Environment.

2.1 Windows

1. Go to "My Computer", click on one of your drives (C for instance). When it is shown, choose "Tools->Folder Options" (or Properties. It's in different places depending on the windows version). Alternatively, open windows explorer (just open any folder) to get the "Tools -> Folder Options" window.
2. When you get the folder options window, click on the tab "File Types". You should be able to either edit or add JAR files (.jar extension)
3. Change the program used to open JAR files. In the file select window, go to the folder where the JRE is installed (should be C:/Program Files/Java/ (...), mark "Always Open With", and select the javaw.exe file

Another way to do it is:

1. Left-click the .jar file, and select the option "Open With".
2. If you can't see it in the left-click menu, try holding shift while clicking.
3. Select javaw.exe as above, and see if it runs.

2.2 GNU/Linux

1. In the left click menu, there should be the "open with" enabled by default. Select "Sun Java X.X runtime", and run it.
2. If you want to always open .jar files with Java instead of the archiver, select the right click menu, click on properties.
   
   • Select the open with tab.
   • There should be the Java software there to select. Make your choice, and confirm.

2.3 Command Line

1. Open a command line window.
   
   • In Windows, click on "start", select "run", and type "command" or "cmd" on the text box.
   • For GNU/Linux, I assume you know how to do it.
     
     • It really depends on the distribution you are using, but GNU/Linux users work much more with the command prompt.
     • you can press ctrl + alt + F1-F6 to switch to text console, and ctrl + alt + F7 to return to the graphic mode.
2. Go to the folder with the .jar file.
3. Type:

   java -jar <your_jar_file.jar>

An Analyze-and-Edit Approach to Shape Manipulation

iWires is a novel approach based on the argument that man-made models can be distilled using a few special 1D wires and their mutual relations. So, prior to editing, is performed a light-weight analysis of the input shape to extract a descriptive set of wires. Analyzing the individual and mutual properties of the wires, and augmenting them with geometric attributes makes them intelligent and ready to be manipulated.