Now thats a backdoor.

This might be old news for learned folks but this came across as news for me. Yesterday lwn.net had an posted an article on LinuxDNA project reporting that they have been able to successfully compile Linux kernel using Intel C compiler. While this did not excite me enough, one comment did catch my attention.

Apparently the legendary Ken Thomson admitted a fiendishly clever backdoor while accepting the 1983 Turing Award. In the early versions of Unix, the C compiler contained code that would recognize when the login command was being recompiled and insert some code recognizing a password chosen by Thompson, giving him entry to the system whether or not an account had been created for him.

But this is not the best part. In a source code review of compiler such a back door could be easily removed by removing it and recompiling the compiler.Now you need a compiler to recompile this compiler. Thompson also arranged that the compiler would recognize when it was compiling a version of itself, and insert into the recompiled compiler the code to insert into the recompiled login and the code to recognize itself and do the whole thing again in future recompilation of compilers. Having done this once, he was then able to recompile the compiler from the original sources; the hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources.

(Text taken from the Jargon files)

He also made sure that the subverted compiler also subverted the disassembler, so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead.

A subscriber JoeBuck on lwn thread then explained how this is checked in GCC. Below are his words. I hope there is no copyright violation.

GCC is built with a three-stage bootstrap procedure. First the compiler is built with some C compiler, that might be an older GCC, or might be a different compiler entirely. The result is “stage 1”. Next, GCC is built again, by the “stage 1” compiler, to produce “stage 2”. Finally, GCC is built with “stage 2” and the result is “stage 3”. We then check to see whether “stage 2” is bit-for-bit identical (other than date stamps in object files) with “stage 3”. If it isn’t, we report a failure. The key is that this process is designed to remove any dependence in the final compiler from the initial compiler. This check is run every time gcc is built from source, and every developer must run this check before any patch is acceptable (plus all the other regressions, of course).

Now, suppose that you suspect that your GCC has a version of the Thompson hack installed. The check is simple: just do the three-stage bootstrap starting with a different compiler, and verify that you get an identical result. You’ve either proven that there’s no hack, or that the other compiler has the hack too. You can repeat the process using cross-compilation. If you carry this out, you’ll be forced to conclude that either there is no Thompson hack, or else that every C compiler you tried has the identical hack.

Thomson’s view on this can be read here

Oh what you learn from reading footnotes, comments, trivia

Building Pidgin and Sipe

From the blog statistics it seems that a lot of people are now interested in using SIPE for communicating with OCS. In one of my previous post I had mentioned that SIPE with pidgin works wonderfully so I think its now appropriate that I should mention how I built Pidgin and SIPE. These instructions are applicable for Ubuntu (and Debian)

First you obviously need to get the sources :-P. You can get pidgin here.  I had used the 1.3.2 release of SIPE. Untar the source packages. In addition you essentially require to install the following packages.

sudo apt-get install autotools-dev libtool intltool

I had configured pidgin using the following options

./configure –disable-gstreamer  –disable-meanwhile  –disable-perl –disable-tcl –disable-tk

This essentially means that there would be no support for sound and scripting in perl, tcl or tk. Also “meanwhile” a port of Lotus Sametime would not be available as well. Building pidgin required installing the following packages

sudo apt-get install automake1.7 intltool libglib2.0-dev pkg-config libatk1.0-dev libcairo2-dev libexpat1-dev libfontconfig1-dev libfreetype6-dev libgtk2.0-dev libice-dev libpango1.0-dev libpng12-dev libsm-dev libxcomposite-dev libxcursor-dev libxdamage-dev libxfixes-dev libxft-dev libxi-dev libxrandr-dev libxrender-dev x11proto-composite-dev x11proto-damage-dev x11proto-fixes-dev x11proto-randr-dev x11proto-render-dev zlib1g-dev libstartup-notification0 libgtkspell-dev libxml2-dev libavahi-client-dev  libavahi-core-dev libavahi-ui-dev
libdbus0-dev libdbus-1-dev libdbus-glib0-dev libdbus-glib-1-dev libdbus-glib-dev libnm-util-dev network-manager-dev libgcrypt11-dev libgnutls-dev libgnutlsxx13 libgpg-error-dev liblzo2-dev libopencdk8-dev libpopt-dev libtasn1-3-dev  comerr-dev e2fslibs-dev

Yup with all the other options that were enabled, you really need those many packages. This would prepare pidgin to be installed in /usr/local. However,  if you want to install pidgin in /usr then add the following to configure

–prefix=/usr/

now do

make

sudo make install

For configuring sipe do the following in sipe source directory

./configure

By default this would install in /usr/local and this should pick up pidgin development headers as well. However, if you have installed pidgin in /usr append –prefix=/usr at the configure stage. Now do the usual

make

sudo make install

For configuring your account, choose Microsoft OCS/LCS from the protocols drop down list.  Fill in the following details

username: your email address (firstname.secondname@domain.com)
password: your password

Advanced:
Use proxy : checked
Proxy server:  Usually this is your exchange server, but ask your IT department.
Use non standard port : checked
Port : 5061
Connection type : SSL/TLS ( or OCS is not running on SSL)
UserAgent: OC/2.0.6362.0 ( This corresponds to the latest Microsoft OCS client)
Auth User: your windows domain credentials
Auth Domain: your windows domain

You can also find out the server and port details by using wireshark on a Windows OCS client installation

The Sourceforge forum for this project is very helpful. If anything does not work, don’t hesitate to ask.

Once you save this you may be prompted to accept server certificate. This should setup your account. Should I say “Happy chatting”.

Amazing wit

Unlike his batting, Sunil Gavaskar’s commentary is hard hitting and contains great one-liners. During yesterday’s T20 India-Sri Lanka match he came up with one such gem.

Describing Pathan brothers partenership he said, “They must do to Sri Lanka what Lehman Brothers did to the world”. Ouch

Crocodile in Saree.

We saw “Luck By Chance” on Friday.It is a satire on the film industry and unlike “Om Shanti Om”, it is not over the top. There were a few things that were really good. But overall  I do not agree with the lavish praise heaped upon by critics. Sure the movie deserved 3 stars but not more than that.

A few good things in the movie.

• The initial credit rolls. You might miss it if you watch it casually. So pay special attention and you will realize what subtlety is all about.
• Rishi Kapoor. He rocks. Farhan might be the central lead in this movie but Rishi Kapoor makes this film work.  He plays an old school Punjabi Film producer and has some of the best lines in the movie. Sample this. He describes Dimple Kapadia as “a crocodile in chiffon saree”. Notice the difference in the way he says “kya baat hain” when Dimple Kapadia introduces him to a new producer of the movie played by Boman Irani.
• Konkana Sen Sharma. She knows how to underplay and one can actually relate to her story.
• Dimple Kapadia, especially in the one scene where she is abusing and threatening the editor of a magazine that has printed some gossip about her daughter.
• It take guts to play the kind of role played by Sanjay Kapoor and the tongue-in-cheek remarks by John Abraham. For subtle humour, the movie scores all the brownie points.

However at 156 minutes, the movie is a tad too long. Somewhat tighter wielding of the scissors would have made this a very entertaining movie. Also, I did not understand  the reason for justifying Dimple’s mannerism. Farhan was depicted as a self-conceited person without any hint of apology and easily that could have been done for Dimple as well. People are brash and pompous and we must learn to show them and take them at face value. Farhan also looks a bit stiff at some places specially in the dance numbers.

Some days back we (my wife and myself) had decided that we would go to cinema halls for movies that get a rating of at least 4 stars by critics and specially Rajeev Masand of CNN-IBN7. After watching this movie, I want my money back Mr Masand. The movie is definitely watchable but only on Television.

An enthralling book.

It is going to be a prolific day for me. After all two blog post on a single day from me tantamount to 150 that Gautam Gambhir scored today :P.

Ok Ok. I think I should get back to the point. Some days back, I had blogged about an article by Ramachandra Guha on Anil Kumble. Mighty impressed by that, I bought this enthralling read “A Corner of a Foreign Field” by the same author.  The book analyses the Indian psyche with regards to cricket. After all, just recently ICC created a mini storm in India by not including Tendulkar in its list of greatest batsmen. The book explores how cricket was first played by British soldiers in India and then how slowly, natives started liking the game. It also gives an interesting insight into the politics and the social system of the times.

Parsis, who followed everything British, were the first ones to adopt the game. Interestingly nationalist like Dadabhai Naroji also had a keen following in the game. Slowly others started to follow the game, reasons and means being different for everyone.

Now we have reached a stage where perfect strangers can discuss the game passionately for hours. Remember the Reliance ad “Square cut maarna tha na yaar”.

We should have been taught history in this manner only.What games did Ibrahim Lodhi followed? Did Auranzeb play “Gilli-Danda”?  Then I am sure I would have maxed history paper. 🙂

Bugs bugs everywhere everywhere

Time to gripe again.  Sounding like a whiner, ain’t I. But then don’t we all expect things to work perfectly. Recently I changed WordPress settings to use  SSL for admin pages. I use opera for my browsing experience and have installed flashblocker for obvious reasons. Now the trouble is that I cannot access statistics for this site. (It is a flash plug in for the really uninformed.) So I cannot see the really high rate (quote this as an example of hyperbole in your term examinations) of traffic coming to this blog. And the blasted thing is that I have forgotten how to disable this setting. EEEEEEks.

Hey I just noticed that the spell checker marks “WordPress” and “blog” as spelling errors. Am I missing something? Am I griping too much? May be this is a sign for me to shut up.