Wednesday, September 30, 2009

Secure Updates?

Currently I'm looking into secure automatic updates for a .net program I'm developing. I've asked on stackoverflow for people to review my approach to the update process here. In the process I've come across some interesting articles on automated updates and I thought I'd review how other applications go about it.

Java

<java-update-map version="1.0">
<mapping>
<version>1.6.0-rc-b98</version>
<url>http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_15-b71.xml</url>
</mapping>
<mapping>
<version>1.6.0</version>
<url>http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_15-b71.xml</url>
</mapping>

...

</java-update-map>

<java-update>

<information version="1.0" xml:lang="en">
<caption>Java Update - Update Available</caption>
<title>Java Update Available</title>
<description>Java 6 Update 15 is ready to install. Click the Install button to update Java now. If you wish to update Java later, click the Later button. To get a FREE copy of OpenOffice.org, the global standard in free, Microsoft compatible office productivity software, just click the More Information link below.</description>
<moreinfo>http://java.com/infourl</moreinfo>
<AlertTitle>Java Update Available</AlertTitle>
<AlertText>A new version of Java is ready to be installed.</AlertText>
<moreinfotxt>More information...</moreinfotxt>
<url>http://javadl-alt.sun.com/u/ESD6/JSCDL/jre/6u15-b71/jre/jre-6u15-windows-i586-iftw.exe</url>
<version>1.6.0_15-b03</version>
<post-status>https://sjremetrics.java.com/b/ss//6</post-status>
<cntry-lookup>http://jal.sun.com/webapps/installstat/CountryLookup</cntry-lookup>
<predownload></predownload>
<options>/installmethod=jau SP1OFF=1 SP2OFF=1 SP3OFF=1 SP5OFF=1 SP6OFF=1 SP7OFF=1 SP8OFF=1 SP10OFF=1 MSDIR=ms4 NEWMSTB=1 SPWEB=http://javadl-esd.sun.com/update/1.6.0/sp-1.6.0_15-b71</options>
<urlinfo>6068ce6c957932593d20059bebab0dfc8b056ac3</urlinfo>
</information>

...

</java-update>


Paint.net


; 3.xx manifest

DownloadPageUrl=http://www.getpaint.net/download.html

StableVersions=3.36.3158.38068
BetaVersions=3.50.3550.40197

3.36.3158.38068_Name=Paint.NET v3.36
3.36.3158.38068_NetFxVersion=2.0.50727
3.36.3158.38068_InfoUrl=http://www.getpaint.net/roadmap.html#v3_0
3.36.3158.38068_ZipUrlList=http://www.getpaint.net/updates/zip/Paint.NET.3.36.zip
3.36.3158.38068_FullZipUrlList=http://www.getpaint.net/updates/zip/Paint.NET.3.36.zip

3.50.3550.40197_Name=Paint.NET v3.5 Beta 1 (Build 3550)
3.50.3550.40197_NetFxVersion=3.5.1
3.50.3550.40197_InfoUrl=http://paintdotnet.forumer.com/viewtopic.php?f=46&t=31684
3.50.3550.40197_ZipUrlList=http://www.getpaint.net/files/zip/preview/Paint.NET.3.5.Beta.3550.Update.zip,http://www.dotpdn.com/files/Paint.NET.3.5.Beta.3550.Update.zip
3.50.3550.40197_FullZipUrlList=http://www.getpaint.net/files/zip/preview/Paint.NET.3.5.Beta.3550.Install.zip,http://www.dotpdn.com/files/Paint.NET.3.5.Beta.3550.Install.zip


  • This manifest file and the associated binaries don't appear to be signed in any way. Update: Rick Brewster has commented to say that the downloaded binary is signed and the signature is verified.

Skype


4.1.0.166


Other



  • iTunes posts a big blob of data back to Apple on startup checking for updates - I didn't look into this much.
  • Google Chrome also posts back information when checking for updates. My version of Chrome was up to date so I didn't see the update process in action.
  • Firefox was already in the process of downloading a new version so I had already missed the file download negotiation.

Summary


It seems like everyone is doing automatic updates differently (no surprises there). It also looks like there is plenty of scope for man in the middle and spoofing attacks if the downloaded binaries aren't signed or don't have their signatures. It doesn't seem like many people are checking their manifest files before downloading binaries which could lead to Safari style "carpet bombing" where malicious binaries are downloaded onto the system.

Tuesday, September 29, 2009

Roomba Review

Last Christmas we got a Roomba 530 (you can see a similar model here). A Roomba is a robotic vacuum cleaner, however, it mostly collects rubbish (dirt, garbage, hair, etc) using it's system of brushes. Since it is battery powered it doesn't have a very strong vacuum action. Having had Roomba in our house for almost a year I thought I give a quick review of it's pros and cons.

Firstly before I go into the details of the actual Roomba unit there are a few important background details:

  • I live in a small unit that has all hardwood floors.
  • I also have two cats who generate a lot of cat hair.

This combination is almost perfect for an automated cleaner: small amounts of dust and cat hair need cleaning every few days, there is no carpet to soak up dirt.

Pros

Roomba is awesome!!!11

It is quite cool to have an automated robot to go and clean your floors while you sit back and watch. And it is very mesmerising at first the way Roomba negotiates chair legs, people and other obstacles. Its a cliché but I do wonder if the next generation will even know what a "manual" vacuum cleaner is.

Roomba is small

In a small unit space is important, Roomba takes up a fraction of the space of a traditional vacuum cleaner.

Roomba cleans where you can't

To paraphrase the iRobot promotional video, 'Roomba cleans under stuff'. I am constantly surprised at how much gunk it is able to find underneath furniture like our couch (out of sight out of mind I guess).

Fire and forget

You can put Roomba on and go out; it will happily clean and re-dock itself once its done. However it practice you need to clear the floor of cables, etc. Otherwise you will come back to find Roomba has eaten the cord of your curtains and is hopelessly stuck.

Quiet

Roomba is noisy, but compared to a regular vacuum cleaner it is very quiet. My cats would run away when we started to put together the old vacuum cleaner but with Roomba they are happy to hang around and watch it with disdain.

Cons

Maintenance, maintenance, maintenance

The main problem with Roomba is that while it cleans your house without much supervision you need to clean it. After every clean you need to empty its pathetically small bin and after most cleans you need to clean the main brushes. Every three or four cleans I have to also remove hair from it's wheels and in the bearings of the main brushes. Occasionally you have to unscrew the 'flicking' brush to remove some long string that its eaten. Finally after about 8 months I notices that Roomba was no longer driving around in a straight line and I had to clean its sensors with a cotton bud.

 
Hair on the brushes

Hair in the bearings

Hair cleaned off the brushes

Gunk from the sensors

Fire and forget?

Fire and forget is sometimes like fire and get stuck: unless you prepare your floor removing any big particles (or are insanely neat) Roomba will eat a rubber band, pen, string, cable or similar and get is main brushes stuck. Usually I put Roomba on and then start to clear things that it might get caught on.

Dark furniture

Roomba uses several sensors to work out if it is going to bump into things before it actually triggers its big bumper. Unfortunately these sensors don't pick up dark furniture very well and as a result Roomba bangs into things (quite loudly). Short of putting reflector strips at Roomba height you can always move the furniture or just ignore it.

Summary

Roomba is awesome and I love it but it does require maintenance. Having seen it in action I feel that it works best on hard floors but it seemed to work well on carpet when I tried it at my parent's place. The main advantages are being able to put it on and leave it and also that it cleans under furniture. It does have some annoying quirks but nothing that has bothers me too much.

Friday, September 25, 2009